Program launch checklist

This article lists all checks to be done before launching a program.

Travis Anderson avatar
Written by Travis Anderson
Updated over a week ago

Almost ready to launch your program? Your Onboarding Manager or Success Manager will guide your every step of the way, but this can act as your reference in the process.

First, let's make sure all the details of your program are configured. Then, let's make sure everything else is ready for launch.

Let's make sure we've checked all the boxes!

Note: Keep in mind some of the below items may not be available in your subscription tier. Contact your Onboarding or Success manager for more information.

1. Program Details page

  1. Use the description for a short intro to your company or program. No need to go into detail here! See for some examples.

  2. Define the assets in scope in the domains section. When helpful, please provide a description for each domain.

  3. Ensure the bounty table is set correctly. This may include making use of bounty tiers. Please have a look at our Bug Bounty Calculator to check what might be a good level for your bounties compared to a benchmark.

  4. Use the In Scope section to welcome and guide researchers. This may include helpful links, worst-case scenarios or special rewards.

  5. Define what's Out of scope for this program. This may include currently known issues. The pre-filled list is setup by Intigriti Triage to avoid noise submissions. Feel free to skim through this list and make adjustments.

  6. Ensure the severity assessment is set up correctly. Most often, companies will use the Intigriti Contextual CVSS

  7. Ensure the Rules of Engagement and Testing Requirements are setup correctly for your organisation

2. Emergency contacts

Emergency contacts can be setup in the in Admin Section/ Company information page. Setting this up will ensure you receive an automated text notification when a new critical or high report is submitted.

3. Budget​

Has the budget been uploaded and added to the program?

Please have a read through how the budgeting and autosuspension mechanisms work

4. Default Assignee

In the program menu / members, double check the default assignee is set correctly. This person will be automatically assigned when the submission is verified by triage

5. Email notifications

Also under program menu / members, make sure the right people have email notifications turned on.

Be aware that each user shoud define their own email notification preferences in their own profile.

6. Internal communication

  • Is the development team aware of the launch

  • Will there be some room to fix potential exceptional, critical and high severity issues in the near future?

  • Is the communication department aware in case of a public launch?

  • Is the operational team aware in case things like support forms or orders may be in the scope?

7. Test Credentials

Do you need to provide test credentials for your application? Are they ready to be distributed? Talk to your Success Manager to define the best way to deliver them to the researchers.

8. List of known Issues

Is there a list of known issues? Maybe the result of a recent pentest which still has some issues unresolved?

Ideally, this list is shared in the Out of scope section, so that researchers don't spend time on these findings. Alternatively for a public program, we advise to share this with Intigriti, so that the triage team can already close these out as duplicates in case they would be reported by a researcher as well. Please ask your Success Manager for the template.

9. Invite researchers

The Intigriti Success Manager will take care of this after the last step

What kind of restrictions should be taken into account?

This can be setup in the Program Settings section

E.g. Should the researchers be ID checked or should some countries be excluded?

Be sure to talk to your Success Manager about these restrictions so that Intigriti can take this into account when selecting researchers for your program.

10. Program Settings

Check all program settings in the program settings page:

  • Confidentiality of the program?

  • Researcher collaboration on?

  • ID-checked researchers only?

  • Who can see the leaderboard?

  • Additional Terms & Conditions?

  • Which statistics should be disclosed to researchers?

11. Final check by Intigriti

Did someone at Intigriti go over your program one last time, ensure there are no clarifications or changes needed? If not, please reach out to your Success Manager to make sure we cover this step.

  • Are the test credentials ready to be distributed and working?

  • Does the domain section make sense, for example that we didn't forget to include an API or accounts domain which is being called from the main application.

  • Double check all other program sections

  • Select and pre-invite researchers according to your requirements.

12. Prepare for incoming submissions

Please check the Submission handling article to understand what the submissions will look like as they are being reported, and which actions you can take, which actions the Triage team can take, how to communicate with researchers and more.

13. Understand what to do in case of unwanted behaviour

In the off-chance you would be seeing unwanted traffic on your applications, you can take a look at the following articles for tips on how to react:

Now, you're all ready! Best of luck with the launch of your program!

Did this answer your question?