Update: SDTO Findings
6/17/2025, 8:17:22 AM (14 days ago)

Hello Intigriti Researchers,

As part of ongoing reviews of our bug bounty process, we’re changing the way how we reward Subdomain Takeover findings

We’re changing the severity of these finds to ‘Low severity’ due to new alternative internal testing we have implemented outside of the bug bounty program that helps us identify and remediate them before they are pushed to public facing web services. We are still concerned about them, however, as they can prove dangerous so please continue to search for any that fall through the gaps.

Full details of this change are on the program detail page

Thanks again for your continued help with our network and, as always, happy hunting!

Kind regards,
The OVO ASM team

Scope Update
10/8/2024, 1:55:25 PM (9 months ago)

Hello Intigriti Researchers,

This is an update on the scope of our program.

We are temporarily removing any bugs that require an OVO Energy account from the scope. This is due to us being unable to currently offer testing accounts to Intigriti or to our team members to validate findings which has allowed for duplicates to slip through the net, resulting in double payment. As I'm sure you can understand, this is not beneficial to the ongoing validity of the program or to the organisation.

We are, however, going through the process of getting secure accounts for testing purposes set up so we will be able to amend the scope and allow these bugs to be found once this has been officialised. Once we have these accounts, we will make sure to spread the details and be able to track these issues in a sanctioned way.

Please cease using any OVO Energy accounts that you may have set up for research purposes, using your @intigriti.me email address.

We thank you all for the hard work you've put into this program and greatly appreciate all of your findings.

Happy Hunting,
Russ Petch

Scope Update
8/23/2024, 9:33:55 AM (10 months ago)

Hello Intigriti Researchers,

This is a note to inform you that there has been a slight scope update. We have changed the wording around credentials provided from: "None provided. Researchers are free to self sign up to any applications in scope." to "None provided. Researchers are free to self sign up to any applications in scope using @intigriti.me email addresses.".

This will help us aid our internal segregation of bounty hunter activity from malicious attackers.

We thank you all for your great work so far on our Program.

As always - Happy Hunting,
Becca Liddle