Welcome! This article will guide you through your first steps on our platform as well as help you familiarise yourself with the concepts of Bug Bounty, responsible disclosure and our hybrid penetration tests.
What do you want to know?
While we give a brief explanation below on the concepts and focus more on the how-to in the knowledge base, the Intigriti Blog offers plenty best practices and tips & tricks!
Blog Series: What to expect from the bug bounty process, from setting up to post-launch
Intigriti Hacker report
Read from our hackers directly how they look at bug bounty, what (de-)motivates them and how to keep your program engaging!
Introduction to Bug Bounty
A bug bounty program links organisations who want to become more secure, with ethical hackers who have the skills and knowledge to do exactly this.
On the Intigriti platform, you define the scope of your program (what the researchers can hack on and what they cannot hack on) as well as the money you want to pay for several levels of security issues. E.g. for a critical security issue, you may want to pay 2000 euro, whilst for a medium bug you would be willing to pay 500 euros.
The researchers on the platform allow you to tap into a wide set of skills, which would otherwise not be available to you and therefore, your landscape and your (customer's) data is better protected with more eyes keeping watch.
By contrast, in a typical penetration test, you are depending on the skillset of one person whereas in a Bug Bounty program, you can incentivise researchers with many different areas of expertise to help make your product more secure.
A Bug Bounty program is typically launched Privately (only available to researchers who received an invitation to this specific program). Initigriti will ensure that new researchers – fresh blood – is added to the program periodically. After a while, the program can be expanded to application basis or to a public program. Please read our article on confidentiality to understand more about the different options
A couple of questions may arise:
Different areas of your landscape may require different levels of bounties because of several reasons such as likelihood of containing sensitive information or security maturity of the scope. Intigriti offers the possibility to assign different levels of bounties to different scope through Bounty Tiers.
How can we ensure the researchers we work with are ethical?
Additionally, researchers are required to adhere to the Rules of Engagement specified on your program specifically.
In a private program where privileges such as test environments are provided, we typically only work with ID-checked researchers. The ID check is performed by our partner Onfido.
Useful links when building your first program:
Introduction to Responsible Disclosure
Where a bug bounty program is going to actively engage researchers to hunt for bugs on your scope, a responsible disclosure program and policy will allow you to collect security vulnerabilities in a more passive way.
With a responsible disclosure program or RDP, also called vulnerability disclosure program or VDP, you are providing a place where (accidental) findings can be reported. It's also a good entryway for new security researchers, to gain some experience before they go into the more competitive Bug Bounty programs where more researchers are active and finding bugs will more difficult.
Many organisations already have Responsible Disclosure policy page on their own websites, and ask the researchers there to send their findings to a certain internal security e-mail address. This can cause a lot of overhead for security teams, since usually there is a large portion of "noise" submissions as well as "beg bounty" in these emails.
When hosting the program on Intigriti, you can simply redirect any findings to Intigriti and the triage team will filter out the noise and non-valid findings.
It's also possible to combine scope where no bounty is given with scope where bounties are assigned. Read more about this in our article on Bounty Tiers
Responsible disclosure programs are always Public.
Define the program settings
Introduction to Hybrid Pentest
Our Hybrid Penetration tests allow organisations to open a penetration test for a certain number of days, with a certain day fee, whilst at the same time using a bounty table to incentivise the researcher to focus on high-impact vulnerabilities.
Researchers who are greenflagged by Intigriti for Hybrid Penetration tests, can apply for these tests based on the parameters defined in the program: Base bounty per day, Max amount of bounty pool to be earned, skills needed.
This model allows you to combine the power of working with researchers (focus on high-impact, high skills level) with the benefits of a penetration test (fixed amount of time spent on your program).