The Intigriti Triage team will validate the submissions on your program, making sure you are only being notified of the valid and unique submissions. They will close out duplicate and out of scope submissions, ensure you're only working on valid vulnerabilities and not spending time on non-value adding submissions.
What actions can you expect from the Triage?
Check if the report is valid - The triager checks if the report is reproducible, and if not, they will communicate with the researcher for more information until clear.
Assess severity – Triage does this according to the severity assessment defined in your program description. They take business impact into account, but of course this will be subject to change. You can of course change the severity your self after Triage.
Check if the report is unique - Triage will close out duplicates – based on previous submissions or list of known issues (e.g. Pentest report which can be shared with us)
Check if the report is within the scope of the program
They will close it out if the report is clearly out of scope and not impactful
Undecided – when we are not sure if out of scope, e.g. when the report includes demonstrated business impact but would be strictly out of scope according to description – we leave the decision with you.
Communication - Triage can ask internal questions on the ticket in internal messages. Additionally, they will communicate with researchers in the "all messages" to let the researchers know in case they were able to verify the issue, or if they need more information.
Now for how to handle submissions after this step, while the submission is in Pending, please see our article on Handling Submissions