This article describes the different program settings that can be configured:
ID-Checked
Area Restrictions
Extra Terms & Conditions
Collaboration
2FA Enforcement
Where can I find the program settings?
On the top right, there is a drop down button which spreads to show more of the menu for programs. Here, you will find the Program Settings:
Program confidentiality
A program can have 4 different confidentiality modes:
Private - invitation only - We select researchers for the program. We typically start with 15-20 and then gradually increase the number of researchers, allowing your skill to be tested by more different people and skillsets, increasing the chance of finding different vulnerabilities
Application only - researchers wanting to participate have to apply and need to be approved by you, but all researchers who are registered on the platform can see that there is a program. If ID checked is not required for researchers, it is also visible on the Public Intigriti website - but not all details. Researchers have to login and apply to see the program details.
Registered only - All registered researchers on the platform can see the program and submit reports. It is possible to restrict the access to ID-Checked researcher only.
Public programs - the program is listed on our public website and indexed by google, so if you would google "Bug Bounty" + your company name, you would find the link to the program in the results. Researchers still have to register on the platform if they want to submit a report. In a public program, the option ID checked is not possible.
Program Status
Draft - unpublished programs regardless of their confidentiality are in draft. Researchers cannot see this program. It is possible to already pre-invite researchers, but they will only be notified at launch. Any updates made, are not saved in version control during the Draft stage.
Open - The program will be visible on the platform according to its configured confidentiality level (invite only, application, registered, public) and researchers will be able to research the program and submit submissions.
Suspended A program can be manually suspended, or automatically suspended.
Automatically suspended: This is because there is not enough budget left, see tis article for how to proceed: https://kb.intigriti.com/en/articles/5925922-program-auto-suspension
Manually suspended: You can decide to take a break and put your program to suspended. At this stage, researchers are not able to submit any more reports and they are also not technically allowed to continue to hunt your scope. If you're not planning to reopen this program, you should move the program to closed, so researchers don't keep waiting for an update.
Closing - The closing state indicates that this program will be closed once the last pending submission on this program has been handled by the company. We do not expect this program to be relaunched, so this helps researchers understand they should not wait for it to reopen and to put their focus elsewhere.
Closed - Once the last submission has been moved to Close, the program will move from Closing to Closed. Closed programs have reached the end of their lifecycle, they will no longer be published on the platform, nor available for any submissions. It has been a hell of a ride, but it is time to say goodbye.
Program checkboxes for ID -Checked, Area Restriction, Researcher collaboration, 2FA enforcement and Extra Terms & Conditions
ID-Checked - Only researchers that have gone through the ID-Checking process can participate to the program. This option can be checked for all confidentiality levels, except public. Not all researchers on the platform are ID-checked. All researchers that wish to receive a payout, have to be ID-checked.
Area specific: EEA - This option is available for Advanced customers only. This will set an additional filter on top of the ID-checked that only researchers who, according to the information provided during their ID checking process, reside in an EEA country.
Terms & conditions - This option is available for Advanced customers only. By default, researchers have to adhere to our standard Terms & conditions (non-conformance may result in legal action) and Code of Conduct (non-conformance may result in a program or platform ban). These are applicable by default on every program on Intigriti. If you wish to enforce Additional Terms & Conditions, this is possible. This can sometimes be the case if your legal team requires it. In the vast majority of cases, the standard T&Cs and CoC cover the needs. From a researcher perspective, we advise to remove barriers for joining as much as possible. If you still want to/ need to enable this option, you can define the text for the T&C's in the Admin section of the platform, and then check the checkbox in the program settings. Meaning you can have programs where the additional Terms & Conditions apply, and others where they don't.
Researcher collaboration - Available for all programs. If you don't see the checkbox, contact your customer success manager. Allowing researchers to work together and split the bounty, can be very beneficial for the outcomes of your program. We only advise not to use this option if rewards are used that cannot easily be split.
Enforce two-factor authentication (2FA) - Available for all programs. Add a layer of security and confidentiality to your program by only allowing researchers using 2FA as a login method to access and hack on your program. If you enforce 2FA, you will not be able to invite researchers that do not have 2FA enabled. If you enforce 2FA on an ongoing program, researchers that were already in your circle of trust will gain access back to your program as soon as they enable 2FA.
Statistics visibility
This will then look like this towards the researchers:
The top section can be disabled from sharing. In some cases hiding the stats can be a good idea, but overall we encourage transparency as much as possible.
Leaderboard confidentiality settings
This allows you to set who can see individual researcher's reputation points.
The leaderboard itself, will be visible to the same group of people who have access to it according to the program's confidentiality. This setting is about who can see the actual reputation points. A reason to hide this from everyone, and set it to Circle of trust (these are, in short, the participating researchers) or Nobody, can be to prevent people to make a guess at how much a certain researcher has been paid. This is especially relevant right after the launch of a program.