By Yannick Merckx
September 21, 2022
Edit or remove messages on submissions within 15 min of posting
Updates around contextual CVSS scoring tool
CVSS selection as default on severity assessment
Integrated tooltips and links to first.org
CVSS vector included in the submission exports
Copy/past functionality on CVSS vector
Communicating with others about a bug or vulnerability that has been found and submitted as report is one of the necessary key features for a bug bounty platform. Communication between the relevant stakeholders should be quick, easy and transparent but also provide some assurance about the follow-up and help to keep track of key details. That’s why Intigriti has build it’s messaging system entirely around incoming submissions – here is where the most back and forth between researchers, companies and our Triage team will happen.
By design, we usually want these messages to be mostly permanent, as a record of how a submission is processed and how information is exchanged. This is security relevant information, so altering messages that had been send previously could shift the context and lead to misunderstandings or suddenly misrepresent previous agreement. That’s why status changes are also logged together with messages: You get a nice and chronological insight into what happened with a submission, from the moment reported to being resolved.
Events and feedback show in the message overview of a submission in strict order
Now, this design principle is great for its factfulness. Meticulously keeping track of what is happening almost makes an audit trail out of ongoing communication. But we are all humans (at least I have no proof of other species working with intigriti) and as above: To err is human. Everybody makes mistakes, be it the occasional spelling error, addressing someone by the wrong name or even just submitting a message to early.
Yeah, so how about it?
Even if it means introducing some flexibility, being able to adjust smaller mistakes is a much better user experience than having all mistakes on permanent record, forever. But how can that be aligned with the design principle talked about earlier?
In the usual interaction between those that would send messages to each other on submissions communication is not expected to be conducted instantly. Messages on submissions are not a “chat” in that sense. Think of Facebook (back when it became popular) – there was all a wall to post messages that could be visible to selected other users and there was also a separate chat feature. Submission messages are much more like the former than the latter.
This leads to our conclusion in how exactly we would add a edit/remove functionality for messages on our platform. Within 15 min of posting, messages can now be edited or removed. Most of the time the intended recipient would not have seen them yet anyway but this still allows the correction of awkward spelling errors, unwanted information disclosure or simply sending messages prematurely.
Keeping the above limitation in mind, the rest is simple
Again: For full transparency, there’s a note if a message has been edited or removed
“Mistakes happen! That’s why there are pencils with erasers”
For programs using the contextual CVSS score there’s an exciting update to the user interface and experience for both researchers and customers:
On programs using the contextual CVSS score, the default view for researchers on submission is now always the CVSS vector selection
The individual vectors have gotten tooltips and links to first.org documentation, helping researchers in objective judgement of severity
For customers, severity vector strings can now easily be copied to clipboard and will also show in both .pdf and .csv reports
We’ve also released a new customer testimonial. If you want to know what makes intigriti such an awesome bug bounty platform to partner with, check out what CM.com has to say
We’ve made further improvements to our Dark Theme. For example, some font colors were very hard to read on some colored backgrounds. We are aiming for continuous improvement of course, so please let us know if you notice anything that you feel isn’t really clear or just might not look that great
In changelog 38, we discussed the awesomeness of Live Hacking Events (LHE). Well, it got even better because a few researchers earned a CVE with their findings, found during our latest LHE with Yahoo! How cool is that!
The @TheParanoids #1337up0822 Live Hacking Event has ended. With 281 submissions and over 219,000$ paid out, this was a major success all thanks to @AMakki1337 @putsi @p4fg @stokfredrik @Blaklis_ @Kuromatae666 @foobar0x7 @MattiBijnens @arneswinnen @bug_dutch @renniepak @0xkasper pic.twitter.com/PZGP02JLEl
— INTIGRITI (@intigriti) August 30, 2022
Submission retesting is here
October 23, 2024
Introducing read-only user roles
April 17, 2024