Intigriti supports different program types to match your organization’s security maturity, risk appetite, and operational needs. Each program type offers a different way to engage with researchers, ranging from passive vulnerability intake to continuous testing and time-bound pentesting.
Understanding the differences helps you choose the right setup for your goals and evolve your security testing strategy over time.
Bug bounty programs
A bug bounty program actively engages researchers to look for vulnerabilities within a clearly defined scope. In return, researchers are rewarded with monetary bounties based on the severity or impact of the issues they find.
On the Intigriti platform, you define what is in scope and out of scope, as well as the reward levels for different severity tiers. For example, you might define a higher reward for critical vulnerabilities and lower rewards for medium or low-impact findings. This allows you to align incentives with your internal risk assessment and priorities.
Bug bounty programs give you access to a diverse and global pool of researchers with a wide range of skill sets. Instead of relying on a limited number of testers, you benefit from many independent perspectives continuously testing your assets.
Bug bounty programs are typically launched privately, with access restricted to invited researchers. Over time, they can be expanded to an application-based or public program, depending on your confidence, capacity, and goals.
Vulnerability disclosure programs
A vulnerability disclosure program (VDP), also known as a responsible disclosure program, provides a structured and passive way for security vulnerabilities to be reported.
Unlike a bug bounty program, a VDP does not actively incentivize researchers to hunt for bugs. Instead, it offers a clear and responsible reporting channel for accidental findings or low-effort research. This makes it an ideal entry point for new researchers and a good baseline for organizations that want to improve their vulnerability intake process.
Many organizations rely on inbox-based disclosure channels, which often lead to high volumes of noise and unstructured reports. By hosting a VDP on Intigriti, incoming reports are filtered and validated by Triage, ensuring your team only receives actionable findings.
Penetration Testing as a Service
Penetration Testing as a Service (PTaaS) combines the benefits of traditional penetration testing with the flexibility and incentive model of bug bounty.
With PTaaS, you open a penetration test for a fixed period of time and agree on a predefined day-based fee. At the same time, a bounty table is used to incentivize researchers to focus on high-impact vulnerabilities during the engagement.
Intigriti offers different pentest types to match your testing objectives:
Focused pentest
A focused pentest is designed for targeted testing of specific assets or scenarios, providing quick validation and meaningful security insights. It is best suited for new or high-priority assets where creative coverage and in-depth testing are needed without the overhead of a full audit-style engagement.Comprehensive pentest
A comprehensive pentest delivers a full-coverage security assessment using structured and industry-recognized methodologies. It is best suited for teams that require validated findings, detailed reporting, and a broad evaluation of their security posture across multiple assets or environments.
Certified pentest
A certified pentest provides compliance-grade security testing performed by certified experts and delivered under accredited frameworks. It is best suited for regulated industries or organizations with formal compliance requirements, such as those driven by regulatory standards or external audits.
This model allows you to maintain predictable timelines and costs while still benefiting from the depth, creativity, and expertise of specialized researchers.