By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

This remains at the discretion of intigriti to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of intigriti to award.

Introduction

We believe that a straightforward approach to a target allows researchers to better focus their attention and skills.
For this, we have created our Cybersecurity Awareness month challenge, with a single target: Submission FLAGPROJECT-MSH5B19R

The challenge

Exploit a bug (or chain several) within the platform to get access to the submission data of FLAGPROJECT-MSH5B19R.

• Target submission: FLAGPROJECT-MSH5B19R within the challengeoclock public program on our PWN environment
• Flag: the flag is located in the Proof of Concept field and has the following format INTIGRITI{xxxx}
• Severity levels: the challenge consists of 2 severity levels, based on compromise level:

Rules of the game

This part is very important, as we want the testing to be focused on functional issues, not on tricks:

• The exploit must work for any submission
• The issue must be exploitable on our production environment
• The submission must contain clear step by step written instructions on how to reproduce the issue

General

• Spam, social engineering and physical intrusion
• Scenarios that require user interaction
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Testing on any other environment besides PWN
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation
• Attacks requiring physical access to a victim's computer/device or compromised user accounts

Due to the nature of the challenge, the CVSS vector will not be used. The submissions will be rated by 2 Severity levels:

How do I access the test environment?

In order to access the PWN environment you have to use our VPN.
There are 2 easy steps for that:

1. Save the VPN configuration file attached and load it in your preferred VPN client.
2. Connect and login using your researcher intigriti e-mail address and password.

How do I get credentials?

We don't offer credentials, but you can create your own researcher account on the PWN environment and start testing.
Feel free to create as many accounts you need.

Do you provide a company account?

We do not provide company accounts for this program.