Payouts are how researchers are rewarded for their contributions to your program. Each payout follows a defined lifecycle and is created based on the type of engagement involved, resulting in a specific payout type.
​

Every payout goes through a number of states before it is completed.

Before a payout can be processed, the researcher must be eligible to receive a reward. This includes completing identity verification and providing valid payout details. If any required information is missing or invalid, the payout is placed in the Error state. The researcher is informed and can resolve the issue by completing the required steps. Once fixed, the payout can move forward.

A payout is marked as Pending when the researcher has completed identity verification and provided valid payout details, but additional compliance checks are still ongoing. As soon as these checks are completed successfully, the payout moves to the next stage.

When a payout enters the Processing state, it has been submitted to the selected payment method and is being handled by the underlying payment service provider (PSP). The PSP processes the transaction and communicates the result back to the platform, which then updates the payout status accordingly.

If a payout cannot be completed, for example due to incorrect payout details or an issue with the external payment provider, it is marked as Failed. In this case, the Intigriti team works together with the researcher to resolve the problem so the payout can be retried.

When a payout has been completed successfully and the researcher has received the reward, it is marked as Paid.

The payout is automatically created when a submission is accepted, and the amount is determined by your bounty configuration, whether you use fixed bounties, ranged bounties, or custom bounties.

Bonuses allow you to reward researchers independently of the submission bounty. The bonus amount is fully defined by you at the moment it is awarded.

Bonuses are commonly used to recognize exceptional effort or value, such as out-of-scope findings with significant impact, particularly well-written reports, advanced testing techniques, or special incentive campaigns. Using bonuses thoughtfully helps reinforce positive behavior and maintain a strong relationship with the research community.

A retest bounty is the reward given to a researcher for re-executing the proof of concept to confirm that a vulnerability has been fixed. The amount is defined upfront as part of the retest request. This payout is automatically created when a retest is accepted.

A base bounty is the reward given to a researcher for delivering the expected testing effort in the context of a pentest. The amount is defined upfront as part of the pentest configuration. The payout is automatically generated when the pentest is accepted.