Disputes between hackers and companies can be resolved by opening a mediation case. Reporters, collaborators, and customers may seek Intigriti’s advice as part of an official mediation case. In some cases, the Intigriti triage, community or success team may proactively open a mediation case on behalf of a reporter or company.
Initiation: First, an official request for mediation needs to be submitted. This can be done through our various support channels, or on the report itself in a comment.
Acknowledgement: An Intigriti employee will acknowledge your mediation request and open a mediation case on your behalf. This can take up to two working days.
Investigation: A mediator outside of the triage team will investigate your case. Individuals with a conflict-of-interest, such as ex-employees of the company or acquaintances of the requester are disqualified from running a mediation investigation. The investigator can decide to close or escalate the mediation case. This decision can take up to 30 days, starting from the date that the mediation case was officially filed and acknowledged.
Escalation: The investigator may decide to escalate your case to the customer’s success manager. An escalation does not serve as an acknowledgement in favor of any of both parties, its objective is to gather more information to come to a conclusion. In this process, a mediation requester may be asked to join a call with the customer, which they can refuse. Intigriti will never provide the company with a mediation requester’s personal details in this process.
Resolution: there may be several outcomes:
1. Intigriti rules in favor of the hacker
If the Intigriti mediation team agrees with the arguments laid out by the hacker, it will propose a counteroffer to the company. If no compensation is offered by the company that is deemed fitting by the mediation team within 30 days, Intigriti will match the proposed compensation with a maximum of €100 for low severity reports, €250 for medium severity reports, €500 for high severity reports, €750 for critical severity reports, and €1,000 for exceptional severity reports (severity as assessed by the Intigriti mediation team). One compensation can be claimed per researcher, per program, per period of 90 days since the submission creation. If a program has more than 5 unsuccessful mediation claims on a yearly basis in which Intigriti has sided with the hacker, they may be suspended from the platform.
In the event of a human or technical error on Intigriti's side resulting in direct bounty opportunity loss for a researcher, reporters may also be eligible for a compensation with the same maximum values per severity as described above. This only applies to erroneous decisions made by Intigriti triage or mediation team members, and in situations in which a correct report handling would have resulted in a higher payout. This explicitly excludes severity assessment disputes as the final severity decision is always at the discretion of the company.
2. Intigriti rules in favor of the company
If the Intigriti mediation team agrees with the arguments laid out by the company, no changes will be made to the report. The hacker is entitled to a clear and transparent explanation of the decision.
3. There is no clear outcome
If both parties bring valid arguments to the table, and the verdict is unclear, for example in a discussion about a business impact modifier that was correctly applied, Intigriti will issue a swag voucher worth €75 to the reporter.
Exceptions to our mediation policy
Out of Scope vulnerabilities
If a vulnerability has been discovered on a domain or asset that was not explicitly in-scope for the program at the time of reporting, or if the vulnerability type is explicitly out of scope, we will not be able to assist the reporter in changing the outcome of the decision. If a scope change was made as a direct result of a report, we may suggest a scope improvement bonus, to be issued at the discretion of the company.
If no code changes are to be introduced as a direct result of the reporter’s submission, we will not suggest issuing a reward. In some cases, we may challenge the decision not to remediate the issue, ensuring the risk is fully understood by the company. If the code base is not changed, but the documentation is made clearer because of the report, we will suggest a documentation improvement bonus. This bonus will be issued at the discretion of the company.
Code of Conduct violations
If any of both parties has violated the code of conduct during the testing that led to the submission, the creation of the report itself or the follow-ups afterwards, we may rule in favor of the other party.