If you think you have found a vulnerability but you are uncertain if it is in-scope or out-of-scope, our first suggestion will always be to check on the program details, as the customer works hard to populate all the relevant information you will need to proceed with their program.
If still unclear we suggest submitting a report with your findings, be clear and concise with the relevant information you provide, as the Triage team will reproduce the report and the easier the PoC (proof of concept) is to replicate the better your chances of being successful.
You will receive feedback from the triage team suggesting whether or not they have found the submission to be reproducible, the customer has the final say when it comes to the accepting or rejecting or submissions received including the severity.
β
The Intigriti team cannot comment on the severity or the validity of individual submissions for this reason.
π‘ Intigriti includes an automated scope validation assistant in the submission flow. Before you submit, this tool checks your draft against the program's out-of-scope requirements and alerts you to potential issues, giving you a chance to review before submission. Learn more in How to write and submit a good report.