We are happy to announce our first bug bounty program! We've done our best to clean most of our known issues and now would like to request your help to spot the once we missed! We are specifically looking for

• leaking of personal data
• horizontal / vertical privilege escalation
• SQLi
• ...

Below you can find a list of what’s currently in scope.
We plan to update our scope every month so keep an eye on us or subscribe to our program to receive updates when we do!

General

• Best practices concerns
• Highly speculative reports about theoretical damage. Proof it and be concrete.
• DDoS or any kind of Brute Forcing Attacks* Publicly accessible login panels
• Reports that state that software is out of date/vulnerable without proven exploitable risks
• Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue in the context of our tool
• Physical or social engineering attempts (this includes phishing attacks against employees)

Application

• Stack trace information
• Open redirects
• XSS issues in non-current browsers (older than 3 versions)
• Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
• Missing cookie flags on non-security sensitive cookies
• Missing security headers which do not present an immediate security vulnerability
• Banner grabbing issues (figuring out what web server we use, etc)
• Clickjacking
• Username/email enumeration via register, login or forgot password messages
• Host header injection

Infrastructure

• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Recently disclosed 0-dayvulnerabilities in commercial products where no patch or a recent patch is available. We need time to patch our systems just like everyone else -please give us 2 weeks before reporting these types of issues.
• Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs)
• Missing SPF, DCIM or DMARC records

Our promise to you

• We will respond to report in ultimately two weeks, probably faster!
• We are happy to respond to any questions, please use the button in the right top corner for this.
• We respect the safe harbour clause that you can find below

Your promise to us

• Provide detailed but to-the point reproduction steps* Include a clear attack scenario. How will this affect us exactly?
• Remember: quality over quantity!
• Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)
• Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's 😉)

Exceptional

• RCE (Remote Code Execution)

Critical

• Access to all customer personal data
• SQL injection

High

• Stored XSS without user interaction
• Privilege escalation
• Authentication bypass on critical infrastructure

Medium

• XSS
• CSRF with a significant impact

Low

• XSS that requires lots of user interaction ( > 3 steps)
• CSRF with a very limited impact

Please select one of the sections below and remove the sections that are not applicable for you

Where can we get credentials for the app?

You can self-register on the application but please don’t forget to use your @intigriti.me address.

Where can we get credentials for the app?

You can use the get credentials button in the right top corner to request credentials that are ready to use! Feel free to reach out to support if you have any issue with these credentials.

Where can we get credentials for the app?

We currently don’t offer any credentials to test user roles.