Skip to main content
Program details page setup

Wizard, Domains, In scope, Out of scope, Getting started, Severity assessment, Program details

Inti avatar
Written by Inti
Updated over 6 months ago

This article will guide you through the setup of your program, the program page that researchers will see when invited to your program or available on our public program list.

The goal when setting up your program should be to:

  1. Make your program as clear as possible to researchers - reduce any chance for confusion and/or false positives.

  2. Remove obstacles as much as possible for researchers to get started. This may mean to include a permission matrix or link to useful documentation in case of a rather complicated application, provide ample test accounts or self signup etc.

  3. Make your program stand out compared to the other programs, entice the researchers to get started. This may be through an attractive bounty table, a specific way of communicating, a large scope, information about releases (more chances of succes after a recent release) or specific rewards like swag or vouchers.

You can take a look at other public program pages on our website: https://www.intigriti.com/programs

This article covers:


Bug Bounty Program types

There are 4 types of bug bounty programs. If you don't have experience with a bug bounty program, we advise to start with a private one.

Private

  • Only visible to invited researchers. We start with 20 researchers.

Application

  • Researchers wanting to participate in your program have to apply and need to be approved by you, but all researchers who are registered on the platform can see that there is a program. Researchers still have to log in and apply to see the program details. If the ‘ID-checked’ option is not required for researchers, the program is also visible on the public Intigriti website.

Registered

  • All registered researchers on the platform can see the full program details and submit reports. It is possible to restrict access to ID-checked researchers only.

Public

  • Program is listed on the Intigriti website. Everyone can see it, but researchers still have to register on the platform if they want to submit a report. In a public program, the option ‘ID-checked’ is not possible.

Create new program

First, open a new program by either going to the sidebar in the submission grid and clicking "Create program".

Alternatively you can click "Create program" from within the Admin view.

You will be guided through a wizard which takes you through every stage on a separate page. You will be able to change every aspect of the program later, except for the program handle. The program handle is really only used in the direct Intigriti link to your program.

Note: remember that programs started in the wizard can't be removed from your organisation. Once started, they will remain in your program list.

Program Description

This is the initial (public) description of your program. Oftentimes, this is more of an introduction to your company than to the program. If your brand is widely know, it can also be an introduction to how you view and approach security within the organization.

An example of how the description is shown on our public programs. This will be similar for invite-only platforms, but then only visible to researchers invited to the program and logged into the platform.

Program Domains: Defining the scope of the program

In this section, we will define the scope for the researchers to hunt on. This can exist out of URL's, iOS or Android apps, offline applications or IP ranges.

We will also define which bounty tier (link to bounty tier article) the domains belong to and give the most important information about the domains in the domain description. This allows you to include more scope, and scope of different maturity levels.

For a more detailed overview of defining the scope of your program, please see also see our Bounty tiers article on how to encorporate more scope

Bounty table

When adding a domain, by clicking Edit, you can also change the bounty table.

See our bug bounty calculator as well as our articles on bounty tiers (links) to help you set up a competitive table.

The goal should be to have the most competitive table as possible with your budget.
It's also important to ask yourself the question: What happens if we run through the current budget? Is there more budget available if we can prove the value of the submissions?

Of course you can also ask Intigriti for advice.

💡When setting up a Vulnerability Disclosure Program (VDP) without bounties, we highly recommend adding a reward policy to ensure complete transparency about any exceptional and alternative rewards that might be given to researchers. Examples of such rewards include bonuses to compensate for overlapping scope, swag, consumer goods, ...

In scope section

This is where you can welcome and guide researchers through your scope. We advise to use this section to personalise your program to the fullest. Researchers wil be drawn to the programs with the best scope and bounties, as well as the programs who are the best communicators. This can already be a reflection of your team and the way you want to work with researchers going forward!

We highly recommend to think about and specify scenario's of interest and worst case scenario's (e.g. cross tenancy leaking).

You can also link to useful documentation or write a readily available guide on the platform, reducing the need for researchers to go outside of the platform to decide whether or not this is an interesting program.

However, if the text gets too lengthy, maybe you can consider adding some information into the FAQ section and referring to that section here. This can be useful for e.g. a roles and permissions overview/

This is also the place to announce any special rewards you may want to give. For example, some companies give vouchers or company swag for some severities. Giving away these types of rewards can also be a way to make a Responsible Disclosure program with no bounties, more attractive.

Out of scope section

This is where we indicate what is out of scope, both in terms of the URLs or domains as the issue types we're not looking for.

Out of scope Template

The template is taken care of by Intigriti and has been setup to avoid noise submissions.

Noise submissions are bad news all around: A low validity rate, disappointed researchers, more invalid submissions counting towards your total number of allowed submissions on the platform and no value for you. You can of course change the template, but we ask to think twice before removing an item from the list. The Intigriti team is happy to provide insights on any questions you may have.

Known issues

Ideally, any known issues can be addressed before the launch of the program.

If that is not possible, or if new known issues that cannot be solved immediately are discovered during the program, we advise to add any known issues here, so that researchers do not spend time and effort here and can focus on finding new unknown blinds spots. Disappointing researchers should always be avoided where possible! Especially in a non-public program we advise to add known issues in the Out of scope list.

Severity assessment

In the severity assessment, we give an indication of how researchers can expect the submissions to be categorised.

Overall, we advise to use the Intigriti Contextualised CVSS. Please have a read through the article to understand how submissions will be handled and categorised by the triage team.

It is possible to deviate from this standard. In this case, we suggest explaining here how that will be.

Given that the Contextualised CVSS allows for business impact to be taken into account in the final score, there typically is no need to deviate from the standard.

Rules of Engagement & Testing requirements

FAQs

This section can be used to provide additional information about your program.

Typically this will hold information about the test accounts and roles that are provided.

Submission Questions

If you want to add a specific question in the submission form, these submission questions are the way to do that. For example, you may ask the researcher which test account he was using for this test.

Test credentials

See detailed article about test credentials

Uploading Attachments

In many of these sections, it's possible to attach documents in order to reduce the text where needed. This will typically be more applicable in a hybrid program where also internal documentation can be made available.

Program Wizard

When you first start setting up a program through Intigriti, you will be guided through a wizard which takes you through every stage on a separate page. You will be able to change every aspect of the program later, except for the program handle. The program handle is really only used in the direct Intigriti link to your program.

Note: remember that programs started in the wizard can't be removed from your organisation. Once started, they will remain in your program list.

Did this answer your question?