Once a researcher creates a submission it will go through different stages before being closed as resolved and ultimately being archived. The chronological order of the different stages a valid submission will go through are:
All programmes at intigriti are managed programmes. Our triage team will review every submission and determine whether the report describes a valid vulnerability. If our triage determines that a submission is valid it will be passed on to the next stage “validated” where It awaits review by a company member. If the submission is, for some reason, found to be invalid, it will be closed immediately. If you feel that this wasn’t correct you can request support for a second opinion.
Having passed the initial triage, the submission will be forwarded to the affected company and it will be reviewed by one of the company members. A company member will double check the issue that was described in the report. If the company member determines that the submission is indeed valid and not a duplicate or out of scope, it will be marked as accepted which means that the company has acknowledged the vulnerability.
The company has acknowledged the vulnerability and will develop a fix. Upon acceptance the researcher will be paid either 50% or 100% of the bounty. By default, companies pay upon accepting a vulnerability, but they have the choice to do it differently. Once a vulnerability is accepted, it will quickly move on to the next stage where a fix will be developed.
This is the last stage a submission will go through before being closed as resolved. In this stage a fix will be developed. Once the company has published a fix for the vulnerability, the researcher will be asked to confirm whether the fix has successfully resolved the vulnerability.
The vulnerability has successfully been mitigated and has been marked as resolved. There’s nothing left to do. The submission will rest in this phase for 14 days before being archived, during this time it remains open for questions or feedback from the researcher.
Once a submission has been marked as resolved for more than two weeks it will automatically be archived. Sensitive information can be removed at this point, meta-data (criticality etc.) will never be removed.