Program confidentiality

A word about the way we define confidentiality on the platform

L
Written by Lise
Updated over a week ago

Programs

Programs will provide you with all information needed to research the different company domains and assets, including confidentiality and bounty levels thereof. This information contains (ao.) the scope definition, bounty table, domain specification, etc.

The confidentiality level of a program controls when and how much of its details can be disclosed to specific researchers. Several concepts are important to grasp the rules that the platform imposed in order to guarantee this confidentiality.

Confidentiality level

Each program has a mandatory confidentiality level setting which determines the population of researchers that a specific program will be accessible to. The confidentiality level be set to each one of following 4 values (a typical program will progress through these levels as it gains maturity):

Invite only

Programs with this confidentiality level will not be visible to the researchers, unless they are invited to work on the program, either as part of an effort of Intigriti to maintain activity on the program or by explicit request of the customer . As from the moment an invitation is pending or accepted, this program will become visible to the specified researchers only. 

Application

Application programs will be visible to the wider public, however only description and bounty level are disclosed to everyone. This way, anyone will know about the program, but not everyone will have all details to be able to research on this program. In order to gain access to all program details and start researching its assets, researchers are required to apply to the responsible program admin. Once this application is approved, all program details will be disclosed to that specific researcher.

Registered

Registered programs will only be shown once a researcher has logged in to the application (not advertised on the public website). Once registered as a researcher, you will be able to create submissions on this program without further delay.

Public

Public programs are exactly what the name indicates: Public. These programs are shown on the public pages and all its details are available to the wider public. In order to create a submission, it will still be mandatory to register an account as an Intigriti researcher.

In case of responsible disclosure programs, it's also possible to hide or unlist public programs from Intigriti's platform through our Capture offering. The program link can still be shared on the company's own website to guarantee a streamlined vulnerability reporting process.

Moving programs from one level to another

The flow for a program to move from one confidentiality level to another is designed for the order as listed above. This represents the usual growth in maturity of a program and algins with a program needing access to a wider pool of researchers the longer the assets on a program have been listed.

While the reverse is possible (moving programs for example from Public to Invite only) this is not usually recommended. In that particular case for example, search engines may already have picked up the program and cached the page where the program was publicly visible. Also, once a program has been on for example Application only researchers may have applied that would not usually have been invited but moving the program back to Invite only would not remove them from the program.

Some additional security measure you might run into

Identity checked only

Some companies prefer to have a better understanding of the researchers. They will ask any researcher to complete their Intigriti ID check prior to being allowed to gain insights in the program specifics. The programs will be advertised according to their confidentiality level, but instead of displaying the program details, they will request non-checked users to get their ID checked first.

As a researcher you will only need to get your ID checked once, this setting will allow you to have faster access to each program requesting this additional security measure.

Terms and Conditions required

Some programs will require you to accept their specific terms and conditions prior to getting clearance to the program specifics. In this case, the program details page will ask you to accept these terms prior to displaying any program detail. Read through the Terms and Conditions and click accept in order to be able to research the program in its latest form.

When any change is made in these terms, your re-acceptance will be requested for this specific program.

Did this answer your question?