search

4. Knowledge base: https:kb.intigriti.com

hashtag
Understanding scope

Scope: Defines the range of assets that the organization is explicitly inviting security researchers to assess for vulnerabilities.

Out of scope: Refers to assets that are explicitly off-limits for security researchers participating in the bug bounty program.

hashtag
Why is it important?

  • Legal and ethical boundaries - bug bounty programs offer you safe harbor only as long as you are within scope.

  • Resource Allocation - Some companies scale one step at a time, and scopes can change overtime as they scale.

  • Practical Reasons - some part of the infrastructure might be affected if it's in development, the client can't have a dev team bombarded with payloads while they are developing something internally or at early stages.

  • Fairness - to provide honor among bug bounty hunters, to not have people participating in the program miss out on bounties they could achieve.

![[Scope Reading Image.png]]

hashtag
Can we submit OOS (Out of Scope) bugs?

  • Sometimes we stumble upon bugs on OOS assets

  • Submissions of these will be rejected most of the time, you get negative rep, and will not receive money from the bug bounty

  • If it's OOS and has a great impact over the business, submissions will be sent in some cases just out of courtesy notification for the business to not get unnecessary damage

  • In ALL cases there are no incentives for the Bug Bounty Hunter

hashtag
Duplicate Bugs

  • Happens when multiple researchers report the same bug

  • Organizations award the bounty to the initial reporter

  • Knowingly reporting a duplicate report is unethical and can affect reputation fast

hashtag
Structural issues

  • One fix, one reward

  • If different fixes are required for different problems it will NOT be a duplicate

  • If one fix fixes both issues it WILL BE a duplicate

  • If you see a bug that has a fix that fixes yours as well then avoid reporting

hashtag
Community Code of Conduct (Check KB on Intigriti)

  • Disclosure terms - until we can do it

  • Collaboration - you can collaborate with other Intigriti members to solve a bug but not ever disclose outside of the community itself the solution to other parties

  • Asking for updates - never ask within first 30 days for an update, platform will always provide updates asap or each 30 days regarding the bug report even if the client did or didn't provide any updates

  • OOS Submissions - we don't offer bounties for OOS

  • Illegal / Cracked software - DO NOT USE

  • Out of bound communication - all communication has to go through the platform, we can't directly contact the client through other means

  • Hoarding Vulnerabilities - do not keep undisclosed a vulnerability UNLESS is a chain of other vulnerabilities you are trying to exploit. Reporting is expected to be done in around 48 hours after the finding.

  • DATA exposure and PII - if you get access to whole DB of users keep it short 1-2 examples, don't access all user data within there or the minimum amount of data to verify that vulnerability. Also follow best standards, DO NOT - download / alter / share with third parties.

  • Third party services, we cannot show videos on other platforms about the testing and can be shared only through intigriti or mediums accepted and always in a PASSWORD-PROTECTED ZIP

This section also covers information on how we can use 3rd party tools like XSS Hunter to store data properly and in a secure way of your findings etc.

Also, USE CAUTION when using automated tests in order to not perform service degradation - GROSS NEGLIGENCE or NEGLIGENCE

  • Intrusive Testing

  • Pivoting - is NOT allowed if you find a Remote Code Execution vulnerability on a restricted environment through a gate don't go further enumerate and try to replicate multiple times.

  • Behavioural Guidelines - Be polite, respectful with every party involved.

  • Sanctions may be applied depending on the gravity of the thing you do

  • Right to appeal - can be done every 30 days and will be reviewed by a team of University Staff at Leuven University

  • Responsible disclosure while restricted - even if you have been restricted and there is a bug to report responsible disclosure is ADVISED to be done. If you have been restricted in any form from the platform or a program - BYE BYE SAFE HARBOR EVEN FOR IN-SCOPE

  • International laws sanctions list validations - you are basically a criminal by international law and cannot do some stuff - credentials are verified daily by Intigriti

  • Your tax and financial obligations - just informs to comply with your country's laws and regulations on that.

Previous3. Phases of a Web Application PentestNext5. Common Scoping Mistakes