Guidelines

• Please do NOT use automatic scanners - be creative and do it yourself! We cannot accept any - submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's :-))
• Please do NOT discuss bugs before they are fixed. You can send us a video as proof of concept, but remember to change its privacy settings to private

Reporting Guidelines

• Provide detailed but to-the point reproduction steps
• Include a clear attack scenario. How will this affect us exactly?
• Remember: quality over quantity!

If you would like to report a software bug without a security impact, please report to letstalk@intigriti.com instead. Please use the test project for all your tests. Refrain from creating test against our customer's projects.

Out-of-scope domains

• *.intigriti.io
• blog.intigriti.com
• kb.intigriti.com
• autodiscover.intigriti.com
• go.intigriti.com
• mail.intigriti.com
• click.intigriti.com
• welcome.intigriti.com
• newsletter.intigriti.com
• careers.intigriti.com
• swag.intigriti.com
• t.intigriti.com
• intigriti.net
• any intigriti CTF or challenge
• our hubspot pages (/hs-fs/, /hubfs/, /hs/, /_hcms/, landing/, report/, webinar/, /datasheet, /customer/, /video/...)
• api.intercom.io
• status.intigriti.com

You will not receive a reward or your submission might be rejected if they are out of scope or if they are one of the following:

General

• Best practices concerns
• Highly speculative reports about theoretical damage. Be concrete.
• DDoS or unrealistic Brute Forcing Attacks
• Denial of service or lockout vulnerabilities, e.g. causing a temporary ban by triggering maliciously crafted requests on the client
• Username/email/program name enumeration
• Publicly accessible login panels - These generally have low security impact
• Reports that state that software is out of date/vulnerable without proven exploitable risks
• Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue in the context of our tool
• Physical or social engineering attempts (this includes phishing attacks against employees)
• Ways to game or cheat the reputation system

Application

• Clickjacking on non-sensitive pages
• User enumeration
• Spamming / annoying other users with emails or notifications
• CSV injection
• Missing rate limits
• Homograph attacks
• Fingerprinting attacks that do not reveal sensitive information
• E-mail bombing
• Attacks that require physical access to an user's device
• Plain text injection
• Sessions not deactivated when enabling 2FA
• Password reset links not expiring
• Hyperlink takeover

Infrastructure

• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Recently disclosed 0day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
• Weak/expired SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs)