The first submissions are being reported on your program, great! Now, what's next?

First, the triage team will validate or reject submissions. For more information on how Triage interacts with the submissions, please see this article.

When the submissions have been validated, they go into the Pending queue, which will be your main working queue on the Intigriti Platform.

What are the options?

  1. Accept

  2. Rejecting

  3. Communication with Triage and Researchers

  4. Bonus

  5. Closed / Archived

  6. Duplicates?

  7. Out of scope?

  8. Can I change the severity?

1. Accepting​

When you accept the vulnerability and it is eligible for a bounty, the process to payout the bounty will be initiated. The researcher will also be awarded their reputation points.

In case a submission is accepted under the "other" domain, the bounty will be set to 0 but the reputation points will still be awarded.

Of course, you can change the severity of a submission as well. We strongly advise to give context with your decision to change the severity of a submission, as to not discourage the researcher and help them understand why the Business Impact is lower than estimated.

2. Rejecting ​

Rejecting with positive or neutral implications for researcher

  • Duplicate (researcher gets reputation points)​

  • Accepted risk (no impact)​

  • Informative (no impact)​

Rejecting with Negative effect

All the below actions will negatively affect the validity ratio of the​ researcher

  • Out of scope​

  • Spam​

  • Not applicable​

=> Please provide context when rejecting a submission!​

3. Communication with Researchers and Triage

If you scroll down to the bottom of the submission page, you will get to the messaging section.

Everyone:

Messages visible to everyone on the submission, including the researcher.

Both triage and program members can use this messaging functionality to ask questions or communicate to researchers.

Use the "Awaiting Feedback" flag to push this submission to the top of the to-do list of the researcher.

Best practice:

We strongly advise to use this section generously to communicate. Communication and appreciation are a key element of building a loyal community base. A simple "thank you for your submission" can go a long way!

You can also use this functionality to ask researchers to confirm after you have resolved the issue on your side, or to simply ask for more information.

Internal

Internal comments cannot be seen by the researcher, but can be used as a communication tool between your organisation and the triage team in case of questions or clarifications.

4. Bonus

At all times, you can give a bonus on a submission, after accepting it, but also after the submission has been resolved and set to closed, or archived or when the report was rejected.

5. Resolved/Closed and Archived

After a submission is marked as resolved on the platform, it will move from the Accepted queue into the Closed folder. Marking a submission as resolved, means that the issue has been fixed and can no longer be detected ( or should no longer be detectable). Sometimes, this will trigger a researcher to check if it is indeed fixed.

This also means that if this finding is sent in again, it will be considered as a new vulnerability, since it was considered Resolved by the company.

Some vulnerabilities will go straight from the Triage or Pending queue into the Closed folder if they are deemed unvalid or out of scope.

After two weeks, submissions in the Closed will automatically move to the Archived folder in case no more updates happen on the submissions.

6. Duplicates

Are you not sure if a submission should be seen as a duplicate? Please see our help article on duplicates for a best practices:

http://kb.intigriti.com/en/articles/4917102-duplicate-related-or-known-vulnerability-reports

7. Out of Scope

As described in this article, triage will sometimes send a submission to Pending, even though it is out of scope. Please see the following article on out of scope submissions:

http://kb.intigriti.com/en/articles/5192108-out-of-scope-findings

8. Can I change severity after validation by Triage?

The Intigriti Triage team will give their best estimation on the severity of an issue, according to the severity assessment specifications on your program. Triage does not always have all the information needed to make a decision on the final business impact a certain finding might have. Therefore, you are of course still free to change the severity.

We strongly advise to give context to the decision to change the severity as to not discourage the researcher from continuing to hunt on your program.

You can do so in the Severity section of the submission - click Edit

Then, you can choose a different severity.

Please provide context as to why you're making the decision to change the severity.

You can also use the cvss calculator to re-calculate the cvss in the platform.

The rules of engagement regarding switching the severity will depend on what you have defined in the "Severity assessment" section of your program definition.

If you are using the contextualised cvss standard, you can downgrade by one level from the cvss calculation but upgrade by all levels.

Did this answer your question?