Once a researcher creates a submission it will go through different stages before being closed as resolved and ultimately being archived. A valid submission will go through the following chronological order:
Most programmes at intigriti are managed programmes. Our triage team will review every submission and determine whether the report describes a valid vulnerability. If our triage determines that a submission is valid, it will be passed on to the next stage pending where it awaits review by a company member.
If the submission is, for some reason, found to be invalid, it will skip the pending or accepted stage and be closed immediately. If you feel that this wasn’t correct you can request support for a second opinion.
Having passed the initial triage, the submission will be forwarded to the affected company and will be reviewed by one of the company members. A company member will double check the issue that was described in the report.
If the company member determines that the submission is indeed valid, it will progress to the accepted stage. Good job, the company has acknowledged the vulnerability.
The company will however also progress the submission directly to a closed state when it would match any of the reasons as listed in the closed section underneath. If you feel that this wasn’t correct you can request support for a second opinion.
The company has acknowledged the vulnerability and will develop a fix. Upon acceptance, the researcher will be paid the full bounty. Once a vulnerability is accepted, it will quickly move on to the next stage where a fix will be developed.
Either the vulnerability has successfully been mitigated and has been marked as resolved, or the submission was rejected by triage or the company for any of following reasons:
it is out of scope
it is not applicable
it is considered to be SPAM
it is considered to be an accepted risk
it is considered to be merely informative
it is a duplicate submission
When the submission arrives in this state, there’s nothing left to do. The submission will rest in this phase for 14 days before being archived, during this time it remains open for questions or feedback from the researcher.
Once a submission has been marked as resolved it can be archived. Sensitive information can be removed at this point, meta-data (severity etc.) will never be removed.