If you think you have found a vulnerability but you are uncertain if it is in-scope or out-of-scope, our first suggestion will always be to check on the program details, as the customer works hard to populate all the relevant information you will need to proceed with their program.
If still unclear we suggest submitting a report with your findings, be clear and concise with the relevant information you provide, as the Triage team will reproduce the report and the easier the PoC (proof of concept) is to replicate the better your chances of being successful.
You will receive feedback from the triage team suggesting whether or not they have found the submission to be reproducible, the customer has the final say when it comes to the accepting or rejecting or submissions received including the severity.
The Intigriti team cannot comment on the severity or the validity of individual submissions for this reason.