Hybrid Pentests are the newest approach to security testing from intigriti, combining the best of both worlds from traditional pentests and bug bounty programs. This means allowing researchers to conduct their search for security relevant issues with the full attention of a traditional pentest and writing a report that also highlights non-findings. But at the same time, it means having the access to the greatest minds of the intigriti community as well as cost that is directly scaling with the impact of the findings, resulting in overall great cost efficiency than traditional pentests.
This article will act as a guide to this type of program and cover the differences between Hybrid Pentest Programs and the "normal" continuous Bug Bounty programs.
Preparing a Hybrid Pentest
Customers with subscription tiers that are higher than "Essential" will have the opportunity to request Hybrid Pentest Programs as a way to engage the community in this unique way, having a single researcher work on their program scope for a bespoke amount of time. To make sure that these programs are a success and the selected researcher can work properly on the the pentest, the program will be created under the oversight of intigriti staff and with the consultation of an intigriti Hybrid Pentest Manager.
Not sure if you would be eligible for contacting a Hybrid Pentest Program? Reach out to our customer success team and see if it would be covered by your subscription!
Setting up a Hybrid Pentest
Drafts for Hybrid Pentest programs can only be created by intigriti staff, as by the time a program is created there should be certainty that the scope is appropriate and the desired approach to testing is feasible for researchers from our community.
Preparing Program Detail
The main differences from continuous programs is that there is a fixed timeframe for testing that can be set out and a required minimum of time that the researcher should conduct testing. Furthermore, the budget for Hybrid Pentests is composed of a minimum that is paid to the researcher no matter the result of the pentest and simply for their time spent, this is called the "base bounty". In addition to that, a maximum that would be paid is controlled by setting the so called "bounty pool" from which all bounty payment for later accepted reports would be paid. A programs minimum cost is therefore equal to the "base bounty" (except for exceptional circumstances such as cancellations) and the maximum cost equal to "base bounty" plus "bounty pool". Even if more issues are found than the bounty pool could pay out, only payments covered by the sum of the bounty pool are made.
Beyond that, the template for Hybrid Programs is the same as for continuous programs:
Out of Scope
Rules of Engagement
But due to the different nature of Hybrid Pentest Programs scope of programs would be difference. Therefore, the program detail would be either filled in by the intigriti Hybrid Pentest Manager or at the very least with their direct consultation.
Adding budget to allow a program to launch
Before a program can be exposed to researchers for application, sufficient budget has to be added. As explained above, this requires adding a budget equal to the sum of base bounty and bounty pool. Budget can be added by either reallocating budget from other programs or the company budget to the Hybrid Program, or can be directly added by using the "Expand Budget" option.
Budget that is left unused at the end of a Hybrid Program can also be reallocated to other programs once there are no more open Pentests.
Staffing a Hybrid Pentest
When the program detail has been populated the program can be launched. Unlike in regular programs however, that does not mean that testing will commence! The launch of a Hybrid Program merely allows researcher to apply to be the one to conduct the Pentest as par tof the program.
Unlike a continuous program, a Hybrid Program only has two confidentiality settings: "Application" or "Invite". "Application" will make the program visible to all researchers that are eligible for Hybrid Pentests to apply, while "Invite" would even require specifically inviting researchers who are then given the chance to apply. We usually recommend setting the Hybrid Program confidentiality to "application", unless there are exceptional requirements such as only being able to work with researchers from particular countries. We also recommend opening a program for application or inviting at least 3 weeks before the intended testing period, in order to allow a sufficient number of researchers to see and apply for a program.
The invitations for and applications from researchers can be reviewed under the "Researcher" tab of the Hybrid Program, or by clicking "Manage invites and applications" on the page with program detail.
Once satisfied with the application of a researcher and considering them to be a good fit for the pentest, their invitation can be accepted from the modal that is brought up with "Review application". This step is definitive and cannot be reverted, so be mindful not to accept researchers where it is not 100% sure that they should be selected for the pentest. When in doubt, this step should be okay'd with the Hybrid Pentest Manager.
Starting a Hybrid Pentest
Once the application from a researcher has been accepted, the pentest can be started from the program detail overview.
As the modal indicates, the pentest should not be started until the agreed date. Once a pentest is started, a researcher is able to make submissions.
Running a Hybrid Pentest
During a Hybrid Pentest, submissions received will be grouped under a "Pentest" object but are also available as usual in the program overview.
Submissions are checked by the intigriti Triage team as it would happen on any other program, taking away immediate concerns and ensuring that only submissions relevant to the scope of the program will need to be reviewed.
It is usually recommended to not accept submissions until the full duration of the pentest has been completed. For further questions in that regard, the intigriti Hybrid Pentest Manager would be able to assist.
Accepting and Closing a Hybrid Pentest
At the end of the agreed upon time window the researcher would also submit a report, summarizing their findings and non-findings. This report is available together with the submissions under the Pentest overview and is available once a researcher marks a pentest as "completed".
The pentest can the be reviewed in the pentest detail overview. Should additional information be required, this can be communicated to the researcher and the p[entest can be set to "in progress" again. If the report is acceptable, it can be accepted using the dedicated button on the right hand side of the screen.
Accepting a Hybrid Pentest will trigger the payout of the base bounty. Submissions can be handled independently from the pentest, with the usual workflow of a payout being created upon acceptance of a report. As already mentioned however, once the bounty pool is exhausted no new payouts are created (submissions can still be accepted though). Once all submissions have been handled, the pentest can be closed. This will prevent any further action on submissions of that pentest and trigger a final check of the bounty pool, ensuring that all necessary payouts have been created.
The Hybrid program will also automatically close once all pentest and all submissions have been closed, This will automatically reallocate any budget from the Hybrid Program to the company budget or allocate company budget to the Hybrid Program should there not be enough budget to cover the payouts on the Hybrid Program.