Our promise to you

• We will respond to your report in ultimately two weeks, probably faster!
• We are happy to respond to any questions, please use the button in the right top corner for this.
• We respect the safe harbour clause that you can find below
• We shall not modify, share, copy or re-distribute the undisclosed contents of your submission without your permission.

We are interested to hear about any common configuration flaw or technique that may affect multiple customers.
Qualifying research will earn you access to private programs that could potentially be affected, allowing you to collect 100% of the subsequent bounty earnings.

Research criteria

Submitted research will be qualified based on the following criteria:

• Novelty: the research describes a new or publicly undocumented attack vector
• Prevalence: multiple organisations and common configurations are affected
• Impact: the research described a real-life, non-theorethical risk that would otherwise also qualify for bug bounties
• Accountability: affected companies should be accountable for the introduction of the flaw and for solving it. 0-days will not be considered and should be reported to the responsible vendor.

Every report should include a working self-hosted proof-of-concept or demo.

• Zero-day vulnerabilities in third party software. Please report these to the affected vendor.
• Known exploits, payloads or bypasses
• Web application firewall bypasses

This program follows Intigriti's contextual CVSS standard.

What will happen to my research once submitted?

Every submission will be evaluated by Intigriti's vulnerability assessment team. We will let you know whether your research qualifies within 14 working days. Regardless of our decision, the research remains your intellectual property. Intigriti shall not modify, share, copy or re-distribute the undisclosed contents of your submission without your permission.

What happens if my research gets accepted?

Once your research gets accepted, your personal hacker manager will invite you to private programs we believe may be affected by this vulnerability. You will receive priority status in the invitation queue regardless of your platform statistics or prior track records for the duration of 90 days after your report was accepted.

What happens if your research gets declined?

If your research gets declined for any reason mentioned in the in scope-section, we will not be able to fast-track you in our invitation queue. The reason why your research was declined will be communicated in the report.

What information do I need to provide?

Make sure your report includes the following information:

• A description of the vulnerable context. E.g: a logical flaw that exists if the application processes input from X and Y, a specific configuration that needs to be present, ...
• An impact assessment of the best- and the worst-case scenario
• A working proof-of-concept on a self-hosted environment (where possible)

Are there examples of research that would qualify?

Examples of qualifying research include:

• Ticket trick: https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c
• Dependency confusion: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
• HTTP/2 Desync Attacks: https://portswigger.net/research/http2