Skip to main content

Program details page setup

Wizard, Assets, In scope, Out of scope, Getting started, Severity assessment, Program details

Inti avatar
Written by Inti
Updated over 3 weeks ago

This article will guide you through the setup of your program, the program page that researchers will see when invited to your program or available on our public program list.

The goal when setting up your program should be to:

  1. Make your program as clear as possible to researchers - reduce any chance for confusion and/or false positives.

  2. Remove obstacles as much as possible for researchers to get started. This may mean to include a permission matrix or link to useful documentation in case of a rather complicated application, provide ample test accounts or self signup etc.

  3. Make your program stand out compared to the other programs, entice the researchers to get started. This may be through an attractive bounty table, a specific way of communicating, a large scope, information about releases (more chances of succes after a recent release) or specific rewards like swag or vouchers.

You can take a look at other public program pages on our website: https://www.intigriti.com/programs

This article covers:


Bug Bounty Program types

There are 4 types of bug bounty programs. If you don't have experience with a bug bounty program, we advise to start with a private one.

Private

  • Only visible to invited researchers. We start with 20 researchers.

Application

  • Researchers wanting to participate in your program have to apply and need to be approved by you, but all researchers who are registered on the platform can see that there is a program. Researchers still have to log in and apply to see the program details. If the ‘ID-checked’ option is not required for researchers, the program is also visible on the public Intigriti website.

Registered

  • All registered researchers on the platform can see the full program details and submit reports. It is possible to restrict access to ID-checked researchers only.

Public

  • Program is listed on the Intigriti website. Everyone can see it, but researchers still have to register on the platform if they want to submit a report. In a public program, the option ‘ID-checked’ is not possible.

Create new program

First, open a new program by either going to the sidebar in the submission grid and clicking "Create program".

Alternatively you can click "Create program" from within the Admin view.

You will be guided through a wizard which takes you through every stage on a separate page. You will be able to change every aspect of the program later, except for the program handle. The program handle is really only used in the direct Intigriti link to your program.

Note: remember that programs started in the wizard can't be removed from your organisation. Once started, they will remain in your program list.

Program Description

This is the initial (public) description of your program. Oftentimes, this is more of an introduction to your company than to the program. If your brand is widely know, it can also be an introduction to how you view and approach security within the organization.

An example of how the description is shown on our public programs. This will be similar for invite-only platforms, but then only visible to researchers invited to the program and logged into the platform.

Program Assets: Defining the scope of the program

In this section, you’ll define the scope that researchers can test against. This may include URLs, iOS or Android apps, IP ranges,...

You’ll also assign each asset to a bounty tier and provide key details in the asset description. This makes it easier to include a broader range of assets, including those at different maturity levels.

Bounty table

When adding an asset, by clicking Edit, you can also change the bounty table.

See our bug bounty calculator as well as our articles on bounty tiers (links) to help you set up a competitive table.

The goal should be to have the most competitive table as possible with your budget.
It's also important to ask yourself the question: What happens if we run through the current budget? Is there more budget available if we can prove the value of the submissions?

Reward Policy

The Reward Policy section provides crucial transparency regarding how researchers are compensated beyond the standard bounty table. This space is designed to be easily accessible and clearly visible near the bounty table, preventing important reward details from being lost in lengthy descriptions.

The intended use of the Reward Policy section is as follows:

  • Vulnerability Disclosure Programs (VDPs): Clearly outline any alternative rewards that may be offered in programs without standard cash bounties. This includes detailing items such as company swag, bonuses, consumer goods, or other incentives. Specify the circumstances under which these alternative rewards apply.

  • Custom bounties: If your program utilizes custom bounties, use this section to explain how these bounty amounts are determined. Detail any specific criteria, the decision-making process involved, or factors that influence the final bounty amount.

  • Other reward information: This section can also be used to include any other pertinent information related to how researchers are rewarded. This may include policies on duplicate submissions, bonuses for high-quality reports, temporary bonus campaigns, and other relevant information.

Clearly defining your reward policies here helps manage researcher expectations and encourages continued high-quality engagement in your program.

In scope section

This is where you can welcome and guide researchers through your scope. We advise to use this section to personalise your program to the fullest. Researchers wil be drawn to the programs with the best scope and bounties, as well as the programs who are the best communicators. This can already be a reflection of your team and the way you want to work with researchers going forward!

We highly recommend to think about and specify scenario's of interest and worst case scenario's (e.g. cross tenancy leaking).

You can also link to useful documentation or write a readily available guide on the platform, reducing the need for researchers to go outside of the platform to decide whether or not this is an interesting program.

However, if the text gets too lengthy, maybe you can consider adding some information into the FAQ section and referring to that section here. This can be useful for e.g. a roles and permissions overview/

This is also the place to announce any special rewards you may want to give. For example, some companies give vouchers or company swag for some severities. Giving away these types of rewards can also be a way to make a Responsible Disclosure program with no bounties, more attractive.

Out of scope section

This is where we indicate what is out of scope, both in terms of the assets and the issue types we're not looking for.

Out of scope Template

The template is taken care of by Intigriti and has been setup to avoid noise submissions.

Noise submissions are bad news all around: A low validity rate, disappointed researchers, more invalid submissions counting towards your total number of allowed submissions on the platform and no value for you. You can of course change the template, but we ask to think twice before removing an item from the list. The Intigriti team is happy to provide insights on any questions you may have.

Known issues

Ideally, any known issues can be addressed before the launch of the program.

If that is not possible, or if new known issues that cannot be solved immediately are discovered during the program, we advise to add any known issues here, so that researchers do not spend time and effort here and can focus on finding new unknown blinds spots. Disappointing researchers should always be avoided where possible! Especially in a non-public program we advise to add known issues in the Out of scope list.

Severity assessment

In the severity assessment, we give an indication of how researchers can expect the submissions to be categorised.

Overall, we advise using the Intigriti Triage Standards. Please have a read through the article to understand how submissions will be handled and categorised by the triage team.

It is possible to deviate from this standard. In this case, we suggest explaining here how that will be.

Rules of Engagement & Testing requirements

See Specific article on Rules of engagement & Testing requirements

FAQs

This section can be used to provide additional information about your program.

Typically this will hold information about the test accounts and roles that are provided.

Submission Questions

If you want to add a specific question in the submission form, these submission questions are the way to do that. For example, you may ask the researcher which test account he was using for this test.

Test credentials

See detailed article about test credentials

Uploading Attachments

In many of these sections, it's possible to attach documents in order to reduce the text where needed. This will typically be more applicable in a PTaaS program where also internal documentation can be made available.

Program Wizard

When you first start setting up a program through Intigriti, you will be guided through a wizard which takes you through every stage on a separate page. You will be able to change every aspect of the program later, except for the program handle. The program handle is really only used in the direct Intigriti link to your program.

Note: remember that programs started in the wizard can't be removed from your organisation. Once started, they will remain in your program list.

Did this answer your question?