Release 66: Machop
3/27/2024, 10:57:56 AM (2 days ago)

Greetings everyone,

Today we've released a couple of very exciting platform improvements:

On the researcher side, we have the following improvements

  • Enhanced Search & Sorting for Researcher API:
    • We added program status changed as an event, to simplify the tracking of status changes on programs. Test it out here
    • We added the detail property to the researcher/programs and researcher/programs/{programId} response, that contains the URL to the program details
    • Added the following query parameter for the GET/researcher/v1.0/program/activities, so activity can be tracked only on the followed programs.
  • New program filtering and sorting options
    • filtering on domain type
    • sorting on last accepted invite
    • filtering on Bounty per Severity
    • currency filters

On the company side, we released

  • A brand new reporting engine that automatically generates the Pentest reports as a .docx file. This feature is only available to triage accounts.
  • Some small UX/UI improvements like a clearer distinction between different vulnerability types on the statistics page, by adding the CWE code.

Bug fixes and application upgrades

This one you know by now. Out with the old, in with the new.
We ensured all systems and components are up to date and added some small bug fixes.

Release 65: Alakazam
3/6/2024, 12:14:09 PM (23 days ago)

Hi hunters,

As Alakazam holds two spoons to ward off any enemies telepathically, this week's release holds the following changes:

1. Add and remove collaborators by triage

Only triage users can now remove (and add) collaborators to a submission after its been created.
This ensures that no collaborators are added to submissions without their approval, and can be impacted by the status of the submission.

2. Custom filter for company members

We added a filter option 'Show deactivated users' to the program and the company members grid to filter out deactivated accounts.
This will help company admins to more easily manage their users.

3. Bug fixes and application upgrades

This one you know by now. Out with the old, in with the new.
We ensured all systems and components are up to date and added some small bug fixes.

Happy hunting!
Regards,
Niels

Release 64: Kadabra
2/14/2024, 8:16:04 AM (about 1 month ago)
2/14/2024, 11:56:45 AM

Hi everyone,

This week's release brings the following changes:

1. Researcher API

  • We added following and detail properties to the response of the following API endpoints:
GET/researcher/v1.0/program/{programId}
GET/researcher/v1.0/program
  • Added the following property as a query parameter for the following endpoints:
GET/researcher/v1.0/program/activities
GET/researcher/v1.0/program

2. Intigriti API

A new endpoint has been added to the Intigriti API to allow submission domain updates:

PUT /company/v2.0/submissions/{submissionCode}/domain
PUT /company/v2.1/submissions/{submissionCode}/domain

3. Markdown editor

Now you are able to copy/paste and drop/drag images and gifs in the markdown editor.

4. Security fixes

We have released fixes for several vulnerabilities and functional issues.
Amongst these, we want to highlight a rework of our HTTPClient, to prevent further SSRF issues and a server side path traversal vulnerability.
We also redesigned the Jira nonce check, to fix a CSRF vulnerability.
We released a "hot-fix" for WebSockets. Due to lack of origin validation, it was possible to start WebSocket connections from intigriti subdomains.

5. Bug fixes and application upgrades

This one you know by now. Out with the old, in with the new.
We ensured all systems and components are up to date and tweaked some small bug fixes.

Happy hunting,
Cristina

Release 63: Abra
1/24/2024, 8:58:38 AM (2 months ago)
1/24/2024, 10:47:09 AM

Greetings everyone,

I will start this update with a Michael Scott quote that acts as my motto: "And I knew exactly what to do. But in a much more real sense, I had no idea what to do.
With the unrequested joke out of the way, we have some interesting changes with the latest release:

1. MCA - Multi Company Access

This new feature allows companies to have a holding-subsidiary relationship, where users from the holding company have access to information of their subsidiaries.
Once the feature is enabled, a company becomes a holding and subsidiaries can be added.

2. Intigriti API

A new endpoint has been added to the Intigriti API to allow CVSS vector updates:

PUT /company/v2.0/submissions/{submissionCode}/severity
PUT /company/v2.1/submissions/{submissionCode}/severity

Severity score is now exposed in the Intigriti API via the following endpoints:

GET submissions
GET submissions/{submissionCode}
GET submissions/{submissionCode}/events

3. Security fix for client side path traversal

A researcher discovered a Client Side Path Traversal vulnerability in the Slack integration functionality. This issue has been fixed.

4. Bug fixes and application upgrades

This one you know by now. Out with the old, in with the new.
We ensured all systems and components are up to date and tweaked some small bug fixes.

Happy hunting,
Cristina

OVPN file update
1/11/2024, 2:40:30 PM (3 months ago)

Hi everyone,

We have updated the intigriti.ovpn file in the FAQ section. To access the pwn environment, you will need to use this new ovpn file to connect to the VPN.

Happy hunting!
Arne

Release 62: Poliwrath
1/10/2024, 7:19:58 AM (3 months ago)

Greetings hunters!

While everyone is recovering from having had that wonderful new years party, our developers have been hard at work already to push through some much needed changes.

  1. Message templates for companies
    Companies sometimes need to reinvent the wheel to communicate to both researchers and triage.
    This helps them a bit by allowing them to predefine message templates.

  2. Edit company SSO settings whilst it is active
    A company can now edit its platform Single-Sign On (SSO) settings whilst the SSO integration stays active.

  3. Researcher API
    Bazooka! We now send email notifications whenever a Personal Access Token (PAT) action is performed, such as adding or removing.

  4. Add submission title to Slack notifications
    You know that nifty Slack integration? It now also mentions the submission title so you know what you're talking about.

  5. Add data to CSV export
    CSV exports for submissions now contain collaborators and timestamps.

  6. Application upgrades
    Application & infrastructure versions have been updated to the latest versions.

  7. Security fix for large image uploads
    A researcher was able to trigger a Denial-of-Service vulnerability on our image conversion backend by abusing the metadata size.
    This has now been resolved.

Happy hunting!
Regards,
Niels

Release 61: Poliwhirl
12/6/2023, 8:33:02 AM (4 months ago)
12/6/2023, 9:33:32 AM

Greetings everyone,

The holiday season is upon us and thus we are sleighing towards more seasonal (not better) jokes: What do you call Santa’s little helpers? Subordinate clauses.

As always, with that out of the way, we have exciting news to share:

1.Researcher API

The Intigriti Researcher API is here to help you streamline your processes, more specifically it allows you to query information about programs and program activities.
More details can be found in our KB article.

The following endpoints are new and shiny:

  • /v1/programs
  • /v1/programs/{programId}
  • /v1/programs/activities
  • /v1/programs/{programId}/domains/{versionId}
  • /v1/programs/{programId}/rules-of-engagements/{versionId}

These endpoints and the entire feature are now in scope and will be available for testing starting tomorrow, on our beautiful PWN environment.

2. Bug fixes and application upgrades

This one you know by now. Out with the old, in with the new.
We ensured all systems and components are up to date and tweaked some small bug fixes.

Happy hunting,
Cristina

Capture Our Flag
10/30/2023, 1:09:29 PM (5 months ago)

Hello hunters,

It is Cybersecurity Awareness Month! Bring out your party hats and bar bikes, because we have exciting news:

Flag Challenge: one submission and 51,337 reasons to get to it. (my slogan satchel is depleting).

We have launched a public challenge via the Capture Our Flag program .
The gist of it? If anyone is able to get the clear text or encrypted flag, located in the Proof of Concept section of the FLAGPROJECT-MSH5B19R submission, they get a "spooky" halloween bonus.

All the details can be found on the Capture Our Flag program, please read them carefully.

Happy hunting,
The Intigriti team

Release 59: Arcanine
10/25/2023, 9:36:03 AM (5 months ago)

Greetings,

I know I already tackled Halloween in the "funny" section of the last update, but bare with me. This is the best I could come up with: What do you call a skeleton with no friends? Bonely.

Moving past to more exciting things, it's release time:

1. Implement the Backend For Frontend (BFF) authentication system

This implies major changes in our authentication process, "re-architected it" (as a great mind once said) - converting from tokens to cookies, changing our OIDC sign-in flow and many more improvements under the hood.
If you wonder what the BFF is, we will spare you the "It's not your Best Friend for Life" joke. You can read more about it here.

This change aims to improve our security posture, and we are excited for you all to test it.

2. Bug fixes and application upgrades

We ensured all systems and components are up to date and tweaked some small bug fixes.

We wish you happy hunting,
cristina

Release 58: Growlithe
10/9/2023, 10:05:53 AM (6 months ago)

Greetings,

The spooky season is upon us, so let's start with a pretty bad joke: What do you call two witches living together? Broommates.

With that out of the way, we have exciting news to share with you:

1. Researcher certifications

We decided to add certifications in the public profiles, allowing all researchers to showcase their expertise and professional accomplishments.
Easily managed from the Preferences, you can add all your certifications, with all necessary details and they will be visible on your public profile.

2. Application upgrades and small bug fixes

We ensured all systems and components are up to date and tweaked some small bug fixes.

Happy hunting and haunting 😶‍🌫️
the intigriti team