Welcome! This article will guide you through your first steps on our platform as well as help you familiarise yourself with the concepts of Bug Bounty, responsible disclosure and our hybrid penetration tests.

While we give a brief explanation below on the concepts and focus more on the how-to in the knowledge base, the Intigriti Blog offers plenty best practices and tips & tricks!

Read from our hackers directly how they look at bug bounty, what (de-)motivates them and how to keep your program engaging!

A bug bounty program links organisations who want to become more secure, with ethical hackers who have the skills and knowledge to do exactly this.

On the Intigriti platform, you define the scope of your program (what the researchers can hack on and what they cannot hack on) as well as the money you want to pay for several levels of security issues. E.g. for a critical security issue, you may want to pay 2000 euro, whilst for a medium bug you would be willing to pay 500 euros.

The researchers on the platform allow you to tap into a wide set of skills, which would otherwise not be available to you and therefore, your landscape and your (customer's) data is better protected with more eyes keeping watch.

By contrast, in a typical penetration test, you are depending on the skillset of one person whereas in a Bug Bounty program, you can incentivise researchers with many different areas of expertise to help make your product more secure.

A Bug Bounty program is typically launched Privately (only available to researchers who received an invitation to this specific program). Initigriti will ensure that new researchers – fresh blood – is added to the program periodically. After a while, the program can be expanded to application basis or to a public program. Please read our article on confidentiality to understand more about the different options

A couple of questions may arise:

Useful links when building your first program:

Where a bug bounty program is going to actively engage researchers to hunt for bugs on your scope, a responsible disclosure program and policy will allow you to collect security vulnerabilities in a more passive way.

With a responsible disclosure program or RDP, also called vulnerability disclosure program or VDP, you are providing a place where (accidental) findings can be reported. It's also a good entryway for new security researchers, to gain some experience before they go into the more competitive Bug Bounty programs where more researchers are active and finding bugs will more difficult.

Many organisations already have Responsible Disclosure policy page on their own websites, and ask the researchers there to send their findings to a certain internal security e-mail address. This can cause a lot of overhead for security teams, since usually there is a large portion of "noise" submissions as well as "beg bounty" in these emails.

When hosting the program on Intigriti, you can simply redirect any findings to Intigriti and the triage team will filter out the noise and non-valid findings.

It's also possible to combine scope where no bounty is given with scope where bounties are assigned. Read more about this in our article on Bounty Tiers

Responsible disclosure programs are always Public.

Our Hybrid Penetration tests allow organisations to open a penetration test for a certain number of days, with a certain day fee, whilst at the same time using a bounty table to incentivise the researcher to focus on high-impact vulnerabilities.

Researchers who are greenflagged by Intigriti for Hybrid Penetration tests, can apply for these tests based on the parameters defined in the program: Base bounty per day, Max amount of bounty pool to be earned, skills needed.

This model allows you to combine the power of working with researchers (focus on high-impact, high skills level) with the benefits of a penetration test (fixed amount of time spent on your program).