Skip to main content

Handling submissions

Updated over a week ago

Handling submissions is a core part of running a successful vulnerability disclosure or bug bounty program. A structured and consistent approach helps your team quickly identify valid security issues, filter out noise, and communicate decisions clearly to researchers. By handling submissions thoughtfully, you support efficient remediation, fair researcher evaluation, and long-term program quality.

Handling pending submissions

⚙️Roles: Company Admin, Program Admin, Program Editor, Program member, Group member (only when the group is linked to the submission)

Validate the report

For programs with managed triage, your organization receives submissions that the Intigriti Triage team has assessed as unique, reproducible, and in scope. These findings are forwarded for your review so you can decide whether to accept them and remediate the issue or treat them as an accepted risk based on your internal context and priorities.


As an exception, submissions that demonstrate clear business impact but fall outside the strict scope definition may still be forwarded to you for a final decision, rather than being closed during triage.

💡Note: Use the Awaiting feedback flag to indicate that a submission requires additional information. When this flag is enabled, the submission is highlighted in the researcher’s inbox and stands out from submissions with general messages.

Review severity

The Intigriti Triage team provides an initial severity assessment based on the severity criteria defined in your program. This assessment reflects their best estimation using the information available during triage. However, triage may not always have full insight into the final business impact of a finding, and you remain free to adjust the severity after review.

💡Note: When changing the severity, it is strongly recommended to provide clear context through a submission message. Explaining why the severity was adjusted helps maintain transparency and avoids discouraging researchers from continuing to participate in your program.

If needed, you can use the CVSS calculator in the platform to recalculate the CVSS score and support your decision. Any changes to severity should align with the rules of engagement you defined in the Severity assessment section of your program definition.

⚠️Beware: Accepting a submission locks the severity because it directly determines the bounty amount. Ensure the severity is final and internally agreed upon before proceeding with acceptance.

Check uniqueness

Not all similar submissions should be handled in the same way. Correctly distinguishing between duplicate, related, and known vulnerability reports helps ensure fair researcher evaluation, accurate reporting, and efficient remediation.

A duplicate submission reports the same underlying vulnerability as an existing submission. Two reports are considered duplicates when they share the same root cause and can be resolved by the same fix, even if the proof of concept, endpoint, or exploitation method differs slightly. When this is the case, link the submission to the original report and close it as Duplicate. Duplicate submissions are still considered valid findings and should be handled consistently.

A related submission describes a similar vulnerability pattern but affects a different root cause or requires a different fix. This can include the same vulnerability type occurring on different assets, endpoints, parameters, or code paths. Related submissions are not duplicates and should be reviewed individually, as they may require separate remediation and may warrant separate rewards.

A known vulnerability refers to an issue your organization is already aware of, for example from a penetration test report, internal backlog, or previous assessment, but that has not yet been reported through the Intigriti platform. If a researcher reports such an issue for the first time on Intigriti, it should generally be treated as a valid submission unless your program rules explicitly state otherwise.

💡 Note: To avoid unnecessary duplicate submissions and inconsistent decisions, provide the Intigriti Triage team with a clear list of known issues and document them in your program details. This helps triage accurately identify duplicates and known vulnerabilities and gives researchers better visibility into what has already been identified.

Add workflow data

Adding workflow data to a submission helps your team manage and process findings more efficiently. By enriching submissions with tags, custom submission fields, and internal references, you can capture internal context such as internal scoring, prioritization, remediation status, or follow-up actions. This structured information improves filtering, reporting, and collaboration across teams, and ensures that submissions can be tracked consistently throughout their lifecycle.

Accepting a submission

Once a submission has passed all checks, you can accept it and reward the researcher. When a submission is accepted, a bounty payout is automatically created based on the severity or CVSS score and the bounty tier of the linked asset, unless the custom bounties feature is enabled.

💡Note: If a submission is accepted without a linked asset that is part of your program's scope and thus classified as asset 'Other', no bounty is awarded upon acceptance. If you believe the researcher should still receive a reward in these cases, you can award a bonus instead.

In both cases the researcher will be rewarded reputation points an be listed as a progrma contributor.

Rejecting a submission

Rejecting a submission means that the reported issue hasn't passed all checks. This can happen for several reasons, such as the finding being out of scope, not reproducible, informative only, or a duplicate of an existing report.

When rejecting a submission, select the close reason that best reflects your assessment and add a clear explanation in a submission message. Providing context helps researchers understand the decision and supports transparency and fair evaluation.

Resolving a submission

Resolving a submission indicates that the reported vulnerability has been fixed and should no longer be detectable.

Before resolving a submission, consider requesting a retest to have the researcher verify that the fix is effective. Retesting helps avoid premature closure and ensures vulnerabilities are properly remediated.

⚠️Beware: Once a submission is resolved, any future reports of the same issue are treated as new vulnerabilities, since the original finding was considered fixed by your organization.

Awarding a bonus

Awarding bonuses allows you to reward researchers independently of the submission state and without relying on standard bounty calculations. Bonuses can be granted at any point in the submission lifecycle and are commonly used to recognize exceptional effort or value, such as out-of-scope findings with significant impact, particularly well-written reports, advanced testing techniques, ...

Using bonuses thoughtfully helps reinforce positive researcher behavior and maintain a strong relationship with the community.

Best practices

  • Review submissions promptly to avoid unnecessary delays and reduce researcher frustration.

  • Use submission messages generously to communicate with researchers. Clear communication and appreciation are key to building a loyal community. Even a simple thank you for the submission can go a long way.

  • Apply scope rules and close reasons consistently to maintain fairness and data quality.

  • Link duplicate submissions to the original report to preserve reporting accuracy.

  • Communicate clearly and respectfully, especially when rejecting submissions.

Related articles

Did this answer your question?