By using our platform, you agree to comply with our Terms and Conditions as well as this community-specific Code of Conduct. It outlines our requirements for all Intigriti members to keep the platform safe and open for everyone.
We believe that transparency is important and public bug bounty write-ups are a valuable source of knowledge for the bug bounty community. Companies, however, may have legitimate reasons not to disclose (fixed or unfixed) vulnerabilities.
If you want to disclose a submission to any party other than Intigriti and the company involved, regardless of its severity or its state, you need to get approval from both the Intigriti team and the concerned company. The request should be in the form of a comment in the report itself as we currently do not offer a disclosure feature within our platform. Prior to written approval from the Intigriti team and the company, it is not allowed to disclose any information related to your submission. This also includes report titles, vulnerability types, endpoints, comments, bounty amounts or the company name.
We support and encourage collaboration between researchers. Be careful not to share any confidential information such as company names, prior detected vulnerabilities and other data related to private programs.
You may only collaborate with individuals that already have access to the same (private) program as you do and have accepted the Researcher Guidelines and program scope and conditions. If you would like to collaborate with someone external to the program, please let us know, so we can ask the company if it is willing to invite the concerned person, prior to your collaboration.
Asking for updates
At Intigriti, we believe it is important to keep our researchers informed of the status of their reports. Everyone is entitled to a fair and proper analysis of their report, however in some cases, this can take a while. Bugs that might seem easy to fix from the outside sometimes take more time than expected to investigate and fix without breaking existing functionality. Programs also have to prioritise reports depending on their severity.
For that reason, report submitters may request an update every thirty days, even if the update is that there are no updates. We ask reporters to refrain from asking for additional updates before this period, as this could only lead to further delays.
Out of scope submissions
We understand that organisations benefit from large testing scopes and that vulnerabilities not within the scope can sometimes cause significant damage. However, we adhere to a strict scope for several reasons:
Legal reasons: Our researchers are provided a safe harbour and will not face any legal action on the condition that they follow the program’s rules. Were you to test out of scope assets without explicit permission form the company, you may expose yourself to legal complaints as ethical hacking without permission from the owner is illegal, even with the best intentions in mind. When in doubt, please use the program’s “Ask scope question” to clarify any questions you may have.
Putting the right focus: Some programs prefer to slowly expand their scope, to make sure that their core assets are covered first. This helps organisations prioritise tests and gives hackers fresh scope to work with from time to time.
Practical reasons: Some systems are very sensitive to being tested. We do not want unaware product teams to be bombarded with payloads, or unsolicited scans that may result in accidental Denial of Service.
Fairness: Focusing on assets that are out of scope and, thus, less tested provides an unfair advantage. We want to make sure that people who respect the scope do not miss out on potential bounties.
Of course, we strive to continuously evaluate scopes and make sure there is enough coverage. In case you think a scope is too limited, you can always let us know. In case you find an out of scope vulnerability by accident, please do report it, but do not expect a bounty and do not knowingly continue testing the out of scope vulnerable asset.
The use of illegal or cracked software
At Intigriti, we support the software creators that help our community members work more efficiently. We expect our community members to act ethical both as a security researcher and as software users. We consider the use of pirated software for activities related to Intigriti (such as using an illegal copy of Burp Suite) a violation of our community guidelines. Intigriti reserves the right to report offenders to the affected companies, and may impose sanctions for repeat offenders. If you cannot afford a user license for a program you need, contact us and we will help you look for alternatives.
Out of bound communication
We only consider reports sent through our platform. It is important to keep sensitive information restricted to the platform, and to respect the wish of companies who have chosen to use it as a centralised solution for managing submissions.
Reaching out to customers directly is not allowed and may result in sanctions.
Hoarding of vulnerabilities
Privately holding on to information concerning active vulnerabilities for longer than needed, for example while waiting on scope changes or bounty promotions, is prohibited. We understand that vulnerabilities need time to be investigated, and as a general rule of thumb we expect a vulnerability to be reported ultimately 48 hours after initial discovery on a live target (web, api, ...), unless more time is needed to properly investigate the vulnerability and write the report. Should you need more time to report a vulnerability, let us know so we can identify the intrusion as authorised. This does not apply to vulnerabilities that would not qualify to be reported as part of the program, without being part of a chain of vulnerabilities that are yet to be discovered.
Data exposure & PII
Assets in scope may possibly contain personal data or other confidential information of the customer, which you may gain access to in the context of your participation in a program. Personal data concerns any information that can be traced back (directly or indirectly) to a natural person. It concerns for example: names, email addresses, telephone numbers, identification numbers, location data, physical characteristics, photos or activities of an individual, etc..
Unnecessary exposure to personal data in the company’s Assets should at all times be avoided. For that purpose, we ask you to limit your testing strictly to your own (test) accounts and not to target accounts of other persons.
Sometimes exposure to personal data may be unavoidable. When you encounter personal data your must – in addition to the terms of the Researcher Guidelines - respect the following rules:
Limit the exposure to the bare minimum (e.g. should you see a list of users and their personal data, do not load additional pages of personal data).
Only process personal data where needed to participate in the company’s program.
Do not download personal data from the company’s systems.
Do not alter personal data in the company’s systems.
Do not share personal data with any third party.
Describe the information that you were able to access, however, do not copy it or save it locally. Do not include it in screenshots or in your report to the platform, unless it is really necessary. If there is no other option, please redact or blur the exposed information and remove any references afterwards.
Hosting of files and proof of concepts
In an effort to reduce the risk of accidental leakage of proof of concepts, we ask you not to host any proof of concepts or reproduction videos outside the platform, but include them as an attachment instead. If it is not possible to host the file on the platform due to technical limitations, we ask to host the files within a password-protected ZIP file stored on a secure location, with the password included in the report.
Be gentle when conducting automated tests or scanners. Some programs may disallow automated testing of any kind, or impose rate limits. It is of utmost importance to follow these rules, as a violation may cause service degradation. Do not conduct any disproportionate testing that may affect service performance. In the event that you notice slower response times or unexpected behaviour that may be related to your testing, make sure to tell us about it.
Once you gain access to an authenticated or restricted environment (such as an admin panel, internal network, filesystem), please cease testing and report the vulnerability immediately. This helps us reduce the risk of unnecessary exposure of private or confidential information. We will consider the maximum impact in our analysis, and you’re free to suggest additional investigation steps, or ask for permission to conduct further testing.
Intigriti is a platform where Information Security enthousiasts and businesses come together in a professional environment. We ask all our community members to treat others the way they want to be treated: with respect and understanding. Professional language is expected from both community members, the security analysts and our customers. If you disagree with the outcome of a vulnerability report, you can always ask for mediation, but please refrain from flooding triagers, company members or Intigriti staff members with messages.
We do not condone nor tolerate any kind of sexist talk or offensive behaviour. Intigriti is an inclusive and open community for everyone. Hackers from all walks of life are welcome whether they are women, men or non-binary, and regardless of their origins and religion.
Any type of discrimination, racism, sexism, harassment and bullying towards our community members, security analysts or company members will not go without consequences.
The same applies to reprehensible acts such as extortion, blackmail attempts, impersonating and social engineering community members, programs or Intigriti staff.
Dishonesty when submitting vulnerabilities must also be avoided. Favour quality over quantity. Do not resort to toxic practices like submitting placeholder reports with the intention of claiming the duplicate after another person submits an actual finding.
Do not spam programs with low quality findings or findings you do not understand.
These practices only create noise and divert security analysts and programs from the actual vulnerabilities on which they should be focusing.
Deliberate disruptive testing is also sanctionable. This includes tampering with test environments to exclude other researchers, and exploiting vulnerabilities found to disrupt normal business operations, tamper with existing client accounts, exfiltrate sensitive data beyond what is needed for a Proof of Concept, etc.
When in doubt, you can inform us of the attack scenario and risks in the report itself, and wait for permission to go further.
Intigriti has the right to remove individuals from the platform if they pose a threat to the integrity, reputation and perception of the ethical hacker community. The broader acceptance of vulnerability research and ethical hacking has come a long way, and we believe it is our task to further facilitate and support this direction.
Examples of harmful behavior towards the broader community include: the spread of statements that are classified as misinformation by third-party fact checkers, off-platform activities that can be considered unethical and/or illegal, such as the development and sale of malware and/or hacking tools intended to cause harm, or the practice of asking compensation for unsolicited vulnerability reports also known as 'beg bounty'.
In order to build a respectful, ethical and safe community, failure to comply with the Researcher Guidelines or our code of conduct will result in warnings or sanctions. Every individual case will be carefully reviewed by our community board of experts, which will determine the extent of the sanction based on the following criteria:
Intent: was the action a deliberate violation?
Impact: does the violation have a damaging impact, either physical, financial, relational or emotional?
Repeat violations: every violation will result in action, but measures will increase for repeated violations.
Violating accounts may be temporarily restricted until the board has taken a decision.
Sanctions may also be imposed for behaviour that occurs outside the platform (e.g. sexist comments towards community members on social media), or on other platforms.
Types of sanctions
Depending on the deeds perpetrated, the community board may choose to issue the following sanctions:
1. Warning: a formal warning is given and no further actions will be taken at this stage. Further violations of the code of conduct may result in more severe sanctions.
2. Invitation restrictions: you’ll still be able to use the platform, but will not qualify to get any additional invites for a given period of time. The board may decide to revoke any existing invitations.
3. Payment restrictions: you’ll still be able to use the platform, but will not be able to claim any monetary rewards. This only applies to submissions submitted during the restriction, of which you will be formally notified. Submissions submitted before the restriction will still be processed, unless these reports were the cause of violation. You’ll still be able to donate your bounties to a recognised charity of your choice. Payment restrictions can either be temporary or permanent.
4. Platform restrictions: you will not be able to use the platform. Platform restrictions may be temporary or permanent.
Right to appeal
In case you do not agree with restrictions imposed on your account, you will have the right to appeal your sanctions every 30 days. The community board will review your request and let you know the outcome, but will only reverse sanctions if it is determined that previously imposed sanctions were not proportional or if the sanctioned behaviour has drastically changed. If requested or needed, a group of independent experts from the University of Leuven will determine whether appeal is granted.
Responsible disclosure of vulnerabilities while being restricted
We believe that responsible disclosure of potential security vulnerabilities should be possible at any time, even when your account is restricted. Whilst we cannot issue rewards for vulnerabilities found within the period of account restriction, we can help you to responsibly disclose vulnerability details to the affected vendor. Contact firstname.lastname@example.org should you need to responsibly disclose a vulnerability to an Intigriti customer, but are unable to do so because of platform restrictions.
Please do understand that, if your platform account is restricted, during such restriction you have no permission to use ethical hacking techniques against assets in scope of programs.
International laws and sanctions list validations
We may be unable to work with individuals who are on sanctions lists, linked to organisations that are on a sanctions list or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on international sanctions lists. There may be additional restrictions on your ability to enter depending upon your local law or any international laws.
Your tax and financial obligations
If you are entitled to receive a bounty payment, we will notify you and you may send us an invoice for the corresponding amount. Your invoices must contain all required information and statements to be legally valid. If you do not invoice your bounty, Intigriti will issue a tax sheet in accordance with the applicable Belgian legislation.
Please note that you must declare all bounty payments you receive to your (tax) authorities, in accordance with the relevant legal requirements.
You will be responsible for payment of all corporate and/or personal income taxes, service taxes, duties, fines, levies and other taxes and (social) contributions, that may be due by virtue of your receipt of bounty payments, and will fully indemnify Intigriti in this context.
We may change this Community Code of Conduct from time to time. If we make significant changes, we will notify you at the latest fifteen (15) days in advance of such intended changes.