Description

At intigriti, we practice what we preach. We’ve built the platform with the greatest care and attention for security, but all software contains bugs and we are no exception to this rule. We encourage you to responsibly disclose any security vulnerabilities they may encounter and will reward you accordingly.

Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€200
€1,000
€4,000
€8,000
€13,337
€200 - €13,337
Rules of engagement

Guidelines

  • Please do NOT use automatic scanners - be creative and do it yourself! We cannot accept any - submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's :-))
  • Please do NOT discuss bugs before they are fixed. You can send us a video as proof of concept, but remember to change its privacy settings to private

Reporting Guidelines

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!
Domains

*.intigriti.com

Tier 2
URL

*.intigriti.me

Tier 2
URL
In scope

If you would like to report a software bug without a security impact, please report to letstalk@intigriti.com instead. Please use the test project for all your tests. Refrain from creating test against our customer's projects.

Out of scope

Out-of-scope domains

  • *.intigriti.io
  • blog.intigriti.com
  • kb.intigriti.com
  • autodiscover.intigriti.com
  • go.intigriti.com
  • mail.intigriti.com
  • click.intigriti.com
  • welcome.intigriti.com
  • newsletter.intigriti.com
  • careers.intigriti.com
  • swag.intigriti.com
  • t.intigriti.com
  • intigriti.net
  • any intigriti CTF or challenge
  • our hubspot pages (/hs-fs/, /hubfs/, /hs/, /_hcms/, landing/, report/, webinar/, /datasheet, /customer/, /video/...)
  • api.intercom.io
  • status.intigriti.com

You will not receive a reward or your submission might be rejected if they are out of scope or if they are one of the following:

General

  • Best practices concerns
  • Highly speculative reports about theoretical damage. Be concrete.
  • DDoS or unrealistic Brute Forcing Attacks
  • Denial of service or lockout vulnerabilities, e.g. causing a temporary ban by triggering maliciously crafted requests on the client
  • Username/email/program name enumeration
  • Publicly accessible login panels - These generally have low security impact
  • Reports that state that software is out of date/vulnerable without proven exploitable risks
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue in the context of our tool
  • Physical or social engineering attempts (this includes phishing attacks against employees)
  • Ways to game or cheat the reputation system

Application

  • Clickjacking on non-sensitive pages
  • User enumeration
  • Spamming / annoying other users with emails or notifications
  • CSV injection
  • Missing rate limits
  • Homograph attacks
  • Fingerprinting attacks that do not reveal sensitive information
  • E-mail bombing
  • Attacks that require physical access to an user's device
  • Plain text injection
  • Sessions not deactivated when enabling 2FA
  • Password reset links not expiring
  • Hyperlink takeover

Infrastructure

  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Recently disclosed 0day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
  • Weak/expired SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs)
All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Last 90 day response times
avg. time first response
< 24 hours
avg. time to decide
< 16 hours
avg. time to triage
< 24 hours
Activity
3/23
intigriti
unsuspended the program
3/22
intigriti
suspended the program
3/22
logo
created a submission
3/22
intigriti
closed a submission
3/21
logo
created a submission
3/10
intigriti
closed a submission
3/9
logo
created a submission
3/8
intigriti
closed a submission
3/8
logo
created a submission
3/2
intigriti
closed a submission