Description

The Zero Day Bug Bounty aims to incentivize security researchers to report newly discovered or undisclosed vulnerabilities that impact us or at least one of our customers, after reporting them to the affected vendor. By participating in this program, researchers can help us provide early warning to our customers about potential security threats and earn monetary rewards for their efforts without having to wait for the cool-down submission period to expire.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
0
0
0
2,000
3,000
Tier 2
Up to €3,000
Rules of engagement
Not applicable
Not applicable
Not applicable
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
Domains

Zero days that affect Intigriti or participating customers (listed below)

Tier 2
Other
In scope

Introduction

At Intigriti, we recognize the value that ethical zero-day researchers bring to the cybersecurity industry. Their discoveries enable organizations to protect themselves before any damage can be done. However, incentivizing the disclosure of zero-day vulnerabilities to third-parties before they have been disclosed to the vendor may increase the risks of active exploitation.

To strike a balance between the benefits of early warnings and responsible disclosure, we are proud to announce the launch of the Intigriti Zero Day Bug Bounty Program. Our program aims to incentivize security researchers to report newly discovered or undisclosed vulnerabilities that impact at least one of our customers while ensuring responsible disclosure to the vendor. By participating in this program, ethical researchers can help us provide early warning to our customers about potential security threats and earn monetary rewards for their efforts.

Bounty eligibility criteria

  • The vulnerability should occur in an in-scope asset hosted by the affected Intigriti customer.
    Cloud-based vulnerabilities should be reported directly to the vendor.
  • The vulnerability must be new and occur in the latest version of the product.
  • The vulnerability details must not be publicly disclosed.
  • The vulnerability must be exploitable in a (near) default configuration or preset.
  • The vulnerability must affect at least one participating Intigriti customer.
  • The vulnerability must be present in widely used software set-ups. Some examples:
    • At least 5,000 GitHub stars
    • OR at least 10,000 active users or installs
    • OR significant press coverage
  • The submission should include a hot-fix or a workaround that allows our customer(s) to mitigate the risk without disabling the service until an official patch is released.
  • The submission should include a working proof-of-concept

Severity assessments

All severity assessments will follow the CVSSv3 scoring system. Note that during the beta phase of this program, only zero-days with a CVSS score of 9 or more will be accepted.

Process

Before you create your submission, you must inform the vendor responsible for issuing the patch.
When a vulnerability is submitted to the Intigriti Zero Day Bug Bounty Program, we will review the submission to ensure that it meets our eligibility criteria. Once a vulnerability is confirmed to be eligible, we will inform participating customers about its existence if we have reasons to believe they may be affected. By default, we are only sharing an impact analysis and mitigation steps with them. We will only share the proof-of-concept with them when deemed necessary. Intigriti reserves the right to share your report with the affected vendor and customers, regardless of whether it meets bounty eligibility criteria.

The payout will be issued after the vendor releases a patch.

Out of scope
  • Zero-days that have not been reported to the vendor
  • Publicly disclosed zero-days
  • Zero-days in cloud-hosted environments provided by the affected vendor
  • All vulnerability reports that do not meet the eligibility criteria listed above
Severity assessment

This program follows Intigriti's contextual CVSS standard.

FAQ

How do I know whether an Intigriti customer is participating in the Zero-day Incentive Program?

All participating Intigriti customers will have a link to this program in their program guidelines. When in doubt, use the "Ask a scope question" button on the program page.

What if the software also has a responsible disclosure or bug bounty program?

If the software has a responsible disclosure or bug bounty program, we encourage researchers to follow their guidelines and report the vulnerability directly to the vendor. If the researcher chooses to submit the vulnerability to the Intigriti Zero Day Bug Bounty Program, we will notify the vendor of the vulnerability to ensure responsible disclosure. Please note that your research should not violate any local laws and that we cannot authorise tests on third-party services.

What information do I have to provide?

Please include the following information in your report:

  1. Affected software
  2. Affected software version
  3. Number of software installs or users (optional)
  4. Affected Intigriti customer(s)
  5. Proof of concept
  6. Disclosure timeline
  • When did you report this to the vendor?
  • What communication channels did you use to contact them?

What if the zero-day vulnerability affects multiple customers , endpoints, configurations or versions?

The Zero-day Incentive Bounty Program issues only one payout per vulnerability. This includes bypasses, different versions or configurations and applies regardless of the amount of affected customers or endpoints.

What if the zero-day is deemed as a won't-fix by the vendor?

Critical vulnerabilities that are deemed as a won't-fix by the vendors may still be eligible for a Zero-day Incentive Bounty, if it meets all other criteria. We will review all submissions on a case-by-case basis.

Fine print

This is an experimental program that may be suspended or altered at any moment without notice.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
leaderboard
logo
logo
logo
Last 90 day response times
avg. time first response
< 15 minutes
avg. time to decide
< 2 weeks
avg. time to triage
< 15 minutes
Activity
3/7
intigriti
accepted a submission
2/28
logo
created a submission
2/28
intigriti
changed the bounties
12/22
intigriti
closed a submission
11/17
logo
created a submission
8/7
intigriti
closed a submission
4/25
intigriti
closed a submission
4/14
logo
created a submission
4/3
intigriti
accepted a submission
4/3
logo
created a submission