This FAQ is designed primarily for those managing pentest programs on their organisations behalf. For detailed documentation, please refer to the linked resources where applicable. For a general and less technical FAQ, please refer to the following article: Intigriti's PTaaS - Frequently Asked Questions (FAQ)
Below is a list of frequently asked questions that have come up in past pentest engagements:
Why cant I award a bonus despite budget having been allocated to the bounty pool and not yet spent?
This is because the bounty pool is only used for submission payouts and not bonuses: Rewarding a bonus requires adding budget to the programme in addition to what has been allocated to the base bounty and bounty pool.
If there is no budget left in the programme after the base bounty and bounty pool are allocated, it is not possible to award a bonus yet.
Once the Pentest has concluded, any leftover budget will be moved back to the unallocated pool once the program has gone into the closing state following a brief validation period.
Why can I not edit the pentest program?
Non- company admin members have to be added separately to the program and given the correct permissions for the program in order to make changes etc. The Program Editor or Program Admin role is required to edit the program.
Further detail on roles and permissions can be found in the following article: https://kb.intigriti.com/en/articles/8825397-roles-and-permissions
Can pentests award reputation points?
Pentests do not currently award reputation points.
How many assets can I include in the scope for the pentest?
There is no formal limit on the number of assets in scope for a pentest. However, if a scope becomes too large, we may recommend splitting it across multiple pentests.
Should we group all of our assets in a single pentest?
We would suggest grouping pentests by theme/ asset type, so as to ensure that researchers with the relevant skillsets and interest will apply. This also ensures that any reporting is more specific to relevant stakeholders. Examples of a theme would be a web application that also has its own mobile apps for IOS and Android, or a collection of websites which are under the same brand.
Multiple smaller pentests also simplify the process of ensuring the environment and accounts etc. are prepped for the engagement.
Is there a way to get the researcher to prioritise one particular aspect of the pentest scope?
There are multiple ways to ensure a focus on a particular area of the scope:
The first and simplest is to request a special focus be placed on it, in the Goals and Objectives section of your program.
If you are more interested in findings related to a specific asset you could assign it a higher asset tier, and increase the payouts for this tier. This incentivises the researcher to focus on this area.
Whereas if you are interested in a particular type of vulnerability, irrespective of asset you could modify the "severity assessment" section to note that this vulnerability would be assigned a higher severity.
Why is the pentest window greater then the expected effort?
The pentest expected effort is the number of hours the researcher will spend on the pentest. The pentest window is the time in which the researcher has to allocate the effort. The window is greater so as to allow the researcher flexibility in assigning these hours.
Upon request, the window can be reduced if needed. This can be discussed during the Pentest Kickoff meeting.
Why is the base bounty/ bounty pool higher?
The greater the effort assigned to the pentest, the higher the base bounty and bounty pool. This is because the base bounty is paid out for the researchers time, while the bounty pool is higher in order to reflect the higher number of potential findings, due to the researcher having more time to identify potential submissions.
The Base Bounty day rate also varies depending on the pentest type selected: Focused (β¬300), Comprehensive (β¬450) or Certified (β¬600). More information on the types of pentests available can be found here: https://www.intigriti.com/product/pentest-as-a-service