Hi hunters!

We've cooked together a new release for you, with a couple of exciting changes;

1. CVSS 4.0
A highly requested feature by many of our customers.
Company admins can choose the CVSS standard that is used for the severity assessment of new submissions.
Choosing for CVSS 4.0 brings improved granularity in scoring and is better aligned to real-world risk assessment.

2. Design system implementation of Buttons and Labels
You'll notice a new look for our buttons and labels in the platform. This is all part of an ongoing effort
to implement a unified design system across the whole application, giving us improved consistency and scalability in future.

3. Removing the 'Batch exports' feature toggle
This doesn't mean the feature itself is gone, but it's now simply always available for everyone.
This feature wasn't subject to any pricing restrictions anymore and was always being enabled for customers.
The feature toggle became redundant so we cleaned it up.

4. Editing and archiving of assets UX improvement
When editing or archiving an asset, company users can now see which programs have that specific asset in scope.
That way they're fully aware of the impact of their changes.

That's all for this week, please reach out to us in case of any questions.
Happy hunting!
Niels

Hello there,

Last week, release 85 went to production and yesterday 86 went live. You read that correctly, we are now working on a weekly release cadence!

Release 85: Dodrio

Industries - on Companies, Programs and Researcher Profiles

We're introducing the concept of industries to companies and programs. The industry information will be available to researchers so they can better filter for programs that will interest them. Researchers can now also choose the industries they're interested in on their preferences page. If they already provided this information during the researcher onboarding questionnaire, the data will be automatically filled in. By adding industries for both the researchers and programs, we'll be able to start recommending programs to researchers based on this information. More on that below...

AI - Out of scope Detection

This new model uses the scoping rules from the program details, together with the submission contents, to determine if a submission is out-of-scope or not, as well as show the rule that matched from the out of scope description. This data will be available in the triage assist box immediately after submission creation.

AI - Title Suggestion

We're running a new AI model that can generate a suggestion for the company title of a submission. The model understands the triage guidelines for writing this title and will help save our triage team time when handling submissions. This model works on demand (i.e. when a user requests it), and will always be based on the latest submission details.

AI - Endpoint / Vulnerable Component Suggestion

Similar to the company title suggestion, this new model can generate a suggestion for the 'endpoint / vulnerable component' field of a submission. This model also works on demand and using the most up-to-date submission details.

More

• Technical Improvement: Removing Minio from our techstack.
• Changes to the registration page: With some tactical copy changes, we aim to reduce the chance of a company user accidentally registering as a researcher account.
• Program template update: The 'Severity Assessment' section will now correctly reference our new Intigriti Triage Standards by default.

Release 86: Seel

Researcher Program Recommendations

We're now using industry information to recommend relevant programs to researchers on their dashboard, based on the industries the user has specified in their preferences. This new feature also comes with a nice redesign of the program cards on the dashboard!

Making Informative Submissions Neutral

We've introduced a neutral close reason for informative submissions to improve the accuracy and fairness of researcher evaluations. Until now, our platform categorized close reasons as either positive or negative. Informative used to be classified as positive, which unintentionally inflated researchers’ validity ratios with submissions that didn't always provide value.

Important detail - The change to the Informative close reason only affects submissions that are closed as informative after the release of this morning. We have not recalculated the existing validity ratio of our researchers.

Happy hacking,

Rein

Hello hackers!

There was a new production release last week, here's what went live:

AI Triage Assist - Similar Submissions

Based on feedback from the triage team, we have implemented functionality similar to dupe detection, but specifically targeting submissions that are Resolved or Negatively Rejected (e.g. Out-of-Scope, Spam, Not Applicable). A new table now lists similar submissions with those close reasons, along with insights into their similarities.

Updates to the LoA and Pentest Report

At the request of the solutions engineering team, we made some changes to the Letter of Attestation and Pentest Report exports in the platform. The most important is the addition of pentest checklist items for completed comprehensive pentests.

Advanced Search on the submission overview

When using the text search on the submission overview, you can now choose which items of a submission you want to search on (e.g. Title, Internal Reference, Submission Code, ...). This will make it easier for our customers to find the right submissions.

AI Architecture - Amazon Bedrock Migration

We have migrated our LLM deployment to Amazon Bedrock, a new AWS service for serving Large Language Models. This change enables us to leverage state-of-the-art models with a pay-per-use model, which supports better scalability and faster iteration. Ultimately, this allows us to build and improve AI-powered tools more efficiently and deliver more impact.

Happy hacking,

Rein

Hello hackers!

Here's an overview of everything that went to production last week:

Custom Bounties in the Company API

A few months ago we added the option to award custom bounties through the platform. To better fit the workflow of some of our bigger customers, we've now also added the option to override the bounty when accepting a submission through our company external API.

Addition of a 4th and 5th bounty tiers

These new tiers offer customers greater flexibility to customize their programs based on varying levels of asset importance, complexity, and maturity.

Submission Summarization Feedback for Triage

Triage users are now able to approve or reject a submission summary. This data is used purely for data gathering and tracking the models performance. The approval or rejection does not impact anything within the platform at the moment.

What's next for AI? - Similar Submissions! At the request of triage we will be implementing something similar to dupe detection but for Resolved or Negatively Rejected (Out-of-scope, Spam, Not Applicable) submissions.

Researcher Onboarding

When new researchers sign up to the platform, they will no longer just land straight on the dashboard, but they'll get an onboarding allowing them to provide more information about themselves and to personalize the platform to their preferences.

Pentesting Checklists

Customers can now ask researchers to complete a web app testing checklist when performing their pentest. This ensures they follow a more structured flow and it opens the door to be able to run accredited pentests in future.

Improvements and upgrades

There were also some smaller improvements to note:

• Enhancements to our Markdown editor
• Improvements to the credentials upload functionality so the order of credentials is maintained in the platform
• Technical upgrades and bug fixes

In other words, a lot of new scope to test!

Happy hacking,

Rein

Hello hackers,

This week, some new features were pushed to production!

Engagement Logs

This is an addition to the 'Active researchers' feature, allowing researchers to share data on how much time they spent hunting on the domains of a program. Submitting engagement logs will allow a researcher to get insights into where other researchers have been spending their time.

Slack integration for the Triage team

Each validated critical or exceptional submission will be posted to an internal slack channel (excluding sensitive information of course). This allows our CSM to follow-up on these more closely. Previously, this was done manually by triage.

IP Lookup improvements

Triage users could already see the users associated with an IP address. Starting today they can also get information on when we last saw this IP address being used. This will help us get in contact with the right researchers in case mediation is required.

Happy hacking,

Rein

Hey Hackers!

We’ve just pushed another update to production, and here’s what’s new:

Back-end sorting, filtering and pagination - Bringing a much needed performance boost to the submission overview page.
.NET upgrade - Staying up to date on the latest technology, the platform made the switch from .NET 8 to .NET 9.
Various bugfixes - 14 known bugs were fixed this iteration.
Full screen inline images - You can now open images in full-screen mode on the platform, give them a click to view an enlarged version.

Feel the urge to test these features? Check out our PWN environment and put these updates to the test!

Cheers,

Rein

We’ve updated the domain structure for our application to improve security and consistency.

What’s changing? Do you see the difference 👀

Old Domain: app-pwn.intigriti.rocks
New Domain: app.pwn.intigriti.rocks

This change applies to all subdomains as well. For example:

api-pwn.intigriti.rocks → api.pwn.intigriti.rocks

What do you need to do?

Update scripts, API calls, or integrations pointing to the old domain.

Why this change?

Enhanced security and better domain management.
Consistent structure for future growth.

If you encounter any issues, please reach out to our support team. Thanks for your understanding!

Hey all!

We’re excited to share what’s new with Sprint 80!

Program budget notifications

Company admins can configure a limit if they wish to be notified when their program budget falls below a certain threshold. Ideal for when companies want a heads-up before their program automatically suspends. More information on how the low budget notification works can be found on the Knowledge base.

Edit and delete message improvements

For a while now, users have always been able to edit and remove internal and external messages on submissions. Now they can also do the same for messages that are placed as part of a severity or status change, offering our users more flexibility in their communication.

Delete hybrid program drafts

Of course we love to see programs launch. Unfortunately, mistakes happen and sometimes programs are created when they shouldn't be. The platform has supported deleting bug bounty drafts for a while. From now on, this can also be done for hybrid programs. This helps us keep the platform clean and remove any unwanted data.

As always, we’ve made sure all systems and components are up-to-date, squashed a couple bugs and made some performance upgrades!

Happy hacking,
Rein

Hi everyone,

A new year, a new ovpn file. We have updated the ovpn file in the FAQ section. To access the pwn environment, you will need to use this new ovpn file to connect to the VPN.

Happy hunting!
Arne

Hello there,

Over the holiday period, sprint 79 was released to production, introducing some new features to our platform!

Custom fields

Companies can add custom fields to their programs if this feature is enabled. These fields will be displayed on relevant submissions and can be edited by program members (excluding read-only roles), offering more flexibility and control.

Custom bounties

The ability to set a custom bounty has been introduced. More information regarding this feature can be found here.

AI features

We have implemented two AI features to support our triage team during submission validation:

• Submission Summarization
• Duplicate Detection

Thank you for being part of our community, and Happy New Year!

Best regards,
Rein