Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 100
€ 500
€ 1,500
€ 3,000
€ 5,000
€ 100 - € 5,000
Domains

*.intigriti.com

Tier 2
URL

*.intigriti.io

Tier 2
URL

*.intigriti.me

Tier 2
URL
Description

At intigriti, we practice what we preach. We’ve built the platform with the greatest care and attention for security, but all software contains bugs and we are not exception to this rule. We encourage you to responsibly disclose any security vulnerabilities they may encounter and will reward you accordingly.

In scope

If you would like to report a software bug without a security impact, please report to letstalk@intigriti.com instead. Please use the test project for all your tests. Refrain from creating test against our customer's projects.

Out scope

Out-of-scope domains

  • blog.intigriti.com
  • kb.intigriti.com
  • autodiscover.intigriti.com
  • go.intigriti.com
  • mail.intigriti.com
  • click.intigriti.com
  • challenge.intigriti.io
  • tools.intigriti.io
  • welcome.intigriti.com
  • newsletter.intigriti.com
  • onboarding.intigriti.io
  • any intigriti CTF

You will not receive a reward or your submission might be rejected if they are out of scope or if they are one of the following:

General

  • Best practices concerns
  • Highly speculative reports about theoretical damage. Be concrete.
  • DDoS or unrealistic Brute Forcing Attacks
  • Denial of service or lockout vulnerabilities, e.g. causing a temporary ban by triggering maliciously crafted requests on the client
  • Username/email/program name enumeration
  • Publicly accessible login panels - These generally have low security impact
  • Reports that state that software is out of date/vulnerable without proven exploitable risks
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue in the context of our tool
  • Physical or social engineering attempts (this includes phishing attacks against employees)
  • Ways to game or cheat the reputation system

Application

  • Clickjacking on non-sensitive pages
  • User enumeration
  • Spamming / annoying other users with emails or notifications
  • CSV injection
  • Missing rate limits
  • Homograph attacks
  • Fingerprinting attacks that do not reveal sensitive information
  • E-mail bombing
  • Attacks that require physical access to an user's device
  • Plain text injection
  • Sessions not deactivated when enabling 2FA
  • Password reset links not expiring
  • Hyperlink takeover

Infrastructure

  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Recently disclosed 0day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
    Weak/expired SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs)
Rules of engagement

Guidelines

  • Please do NOT use automatic scanners - be creative and do it yourself! We cannot accept any - submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's :-))
  • Please do NOT discuss bugs before they are fixed. You can send us a video as proof of concept, but remember to change its privacy settings to private

Reporting Guidelines

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!

Safe harbour for researchers

intigriti considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. intigriti will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, intigriti will take steps to make it known that your actions were conducted in compliance and with our approval.

All aboard!
Please login or register on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to login with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Activity
4/7
intigriti
closed a submission
4/7
logo
theamazingferret
created a submission
4/6
logo
iamtherealjason
created a submission
4/6
intigriti
closed a submission
3/31
intigriti
closed a submission
3/31
logo
roberto99
created a submission
3/30
intigriti
changed the out scope
3/30
intigriti
accepted a submission
3/29
logo
dewcode
created a submission
3/26
intigriti
closed a submission