By default, researchers have to comply with Intigriti's standard Terms & Conditions. (add link). This already means that they are bound to certain rules if they start working on your program. For example, researchers cannot use methods of (D)DoS attacks or social engineering. They have to disclosee vulnerabilities immediately and cannot disclose information without written consent in the platform.
However, it can be useful to add some restrictions on to that as well as to explain how you expect researchers to behave and what they can expect from you.
Intigriti's Rules of Engagement is the place to define these items. The rules of engagement will be shown immediately underneath the bounties to the researchers:
The rules of engagement consist of three parts:
Testing requirements - rules
Rules of engagement - free text
Defining specific testing requirements has the benefit that they immediately stand out and become visible right underneath the bounties for the researcher.
We have 5 default requirements to choose from.
You can then add any additional requirements, which are not default, into the Rules of Engagement free text field.
The options you can choose from for testing requirements are:
Automated tooling: If you are moving to an Application / Registered / Public program, we strongly advise to specify a rate limit for automated tooling. If you are experiencing operational impact because of too much traffic, we advise to add this in and send out an update.
Use of @Intigriti.me email address: Many customers identify researchers by the use of the intigriti.me email address. They recognise the actions and can mark them as not malicious, they can automatically cancel orders or provide extra privileges on the intigriti.me accounts.
Header: Refers to setting a specific request header by our researchers during the security testing. This will make it easier to cleanup log files or perform incident responses. An example can be: `X-Bug-Bounty: <username>`.
User agent: Refers to setting a specific request header by our researchers during the security testing. This will make it easier to cleanup log files or perform incident responses. An example can be: `User-Agent: Intigriti - <username> - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36`.
Both Header and User agent can be used to identify if researchers are testing your scope and could also be used to identify out of scope testing.
For any programs which were created before the release of the feature, there will not be any testing requirements by default. Once the Rules of engagement section has been updated, they will be visualised.
Rules of engagement
The rules of engagement can be used for you to specify what you expect from the researchers, anything which is strictly forbidden, which doesn't fall under the Out of scope or the general T&C's can be mentioned here.
Researchers cannot complete orders on weekend days
Researchers should not create accounts on the scope
You can also highlight the way you will be interacting with the researchers. How much time you aim to take before getting back to the researchers, if you plan on giving any bonuses.
=> We advise you to keep this section as to the point as possible to improve reading rates.
Below you can find our default RoE text:
By participating in this program, you agree to:
Respect the Community Code of Conduct (link to https://go.intigriti.com/coc)
Respect the Terms and Conditions (link to https://go.intigriti.com/tac)
Respect the scope of the program
Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
You can check this checkbox and it will be shown to the researcher as "Safe harbour included" and the text will be collapsed by default.