1. Responsible disclosure policy / Vulnerability disclosure policy

  2. Security.txt standard

  3. Overall Tips & Tricks

  4. Linking to a Public or Registered program (preferred)

  5. Linking to a Private program (not preferred)

  6. Linking to an Application program

Responsible disclosure policy / Vulnerability disclosure policy

Many organisations have a responsible disclosure page on their website, to ensure that anyone can report a vulnerability if and when they find one.

This can also be used as a means of highlighting the security of your organisation, for example towards customers or auditors.

For best practices on running a responsible disclosure program, please see our blogpost:

https://blog.intigriti.com/2021/05/19/vulnerability-disclosure-programs-vs-bug-bounty/

Security.txt standard

If your organisation does not (yet) have a responsible disclosure (or equivalent) webpage to let people know you are welcoming security vulnerabilities, using the security.txt standard is an easy way to do that.

You can do so by creating a text file called security.txt under the .well-known directory of your project.

Find out more information about this standard on https://securitytxt.org.

Overall Tips & Tricks

Wait until your program is Public to refer to it on your responsible disclosure page

When your program is public, anyone can easily find your program, you have a direct link to it and anyone can register on Intigriti and submit their finding.

As long as your program is running privately, there is no direct link and not anyone can submit a vulnerability.

There are ways around this (described in the next sections of this article), but in our experience it is preferable to only link towards your program from your website once you've moved to an Application, Registered or Public program.

Decide how much detail you want to add to your webpage

Some companies simply have a statement on their Responsible Disclosure page referring directly to the Intigriti program without much further detail.

Others may choose to still include more detail on the webpage like rules, out of scope, what to include in the report.

Decide if you still allow submissions through your email inbox as well

In order to allow anyone, with or without a researcher account on Intigriti to report a vulnerability, you may opt to still leave the option to disclose any vulnerabilities to an email inbox as well. In this case you can specify that in order to receive a reward, vulnerabilities have to be reported through the Intigriti program, but that you still want to give anyone the option to report through your email address as well.

This leaves the accidental finder (e.g. a customer or a user of your product) an easy way of reporting vulnerabilities and at the same time it is clear that any researcher interested in a monetary reward needs to go through your program.

This is completely optional, since creating a researcher account on Intigriti is straightforward to do.

Another option would be to include some more steps in between and add a direct link to the Intigriti sign up page on the site as well.

Preferred option: Link towards a Public or Registered program

One option is to simple link to your Intigriti program on this site to ensure all vulnerabilities are reported through Intigriti as to avoid you have to spend time and resources handling vulnerability reports in your security@ inbox. The triage team will handle and filter out any out of scope and duplicate submissions and the Intigriti platform will take care of all payments in cases a bounty or bonus is paid.

This will work best if you program is Registered or Public.

Find your public link by going to the Intigriti.com homepage and browsing the list of public programs for your program.

Registered programs will not be visible on the public website. In that case you can explain that when they create an account on Intigriti.com, they will have access to the program and will be able to submit their vulnerability.

What if the Intigriti program is private?

This means that researchers have to be invited to your program.

Ideally, private programs are not linked on public websites, because they can cause admin and overhead, since researchers have to request access to the program. Also, it can defeat the purpose of having a private program: You want to invite only the researchers you know and you don't want to invite anyone who requests to be added.

Please also add an email address where the researchers can reach you (e.g. security@) or leave another way of contacting you directly on the website. This way, researchers can let you know their username so you can invite them to your private program. At this stage, to ensure there is no barrier you can also continue to give them the opportunity to report a vulnerability to you through your email address for as long as the program is running privately.

You'll need to explain that they need to sign up as a researcher on the platform and that they can send their username to you, and you can then invite them into the platform.

You can do this through the Researchers tab:

Then click the "+" sign to invite researchers:

Then type the username in the "filter" bar on the right hand side to find the researcher and invite them:

What if the Intigriti program is Application Only?

An Application only program is a program that is publicly visible on the Intigriti website, but only researchers who have applied and have been accepted, can submit vulnerabilities. This will have the same effect as a private program, they will still need to be accepted. In this case, just like for a private program, we still advise to leave a way of contacting you to be added to the program.

To accept the applications of researchers on the platform, go to the Researcher's tab on the program and review the applications:

In the screenshot below, there is a new application to be reviewed:

The researcher has optionally entered a motivation to participate in the program, which you can review and then reject or accept the application. Once accepted, they have access to the program and can submit their report.

Security.txt standard

If your organisation does not (yet) have a responsible disclosure (or equivalent) webpage to let people know you are welcoming security vulnerabilities, using the security.txt standard is an easy way to do that.

You can do so by creating a text file called security.txt under the .well-known directory of your project.

Find out more information about this standard on https://securitytxt.org.

Did this answer your question?