BIPI
BIPI

Intigriti and YesWeHack: European Programs Worth Hunting

Cybersecurity

European platforms run differently from the US giants. Intigriti and YesWeHack have unique scope styles, payout patterns, and triage cultures. Learn how to fit in, what to expect, and where the soft targets sit.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 2, 2023 · 8 min read

#intigriti#yeswehack#european-bug-bounty#program-strategy#hunting

The European bug bounty scene

Intigriti is Belgian, YesWeHack is French. Both host programs from European banks, telcos, governments, and SaaS vendors that rarely run on HackerOne or Bugcrowd. The competition is thinner, the duplicate rates are lower, and the language can be a small barrier worth crossing.

Intigriti, what is different

  • Severity model uses a CVSS based scoring with program specific multipliers.
  • Programs often list out of scope finding types explicitly with examples.
  • Triage is fast on European business hours, slower on weekends.
  • Many programs run in waves, where new scope opens for limited windows.

YesWeHack, what is different

  • Strong focus on French and EU regulated industries, banking and health.
  • Some programs require GDPR aware PoC, no real PII exfiltration even as proof.
  • Reports can be submitted in English, but French earns goodwill on close calls.
  • Private invites lean on activity in the past sixty days, not lifetime stats.

Where the soft targets sit

  1. European retail banks, often new to bug bounty, where session and auth bugs are common.
  2. Telcos with legacy customer portals, where IDOR on account data still appears.
  3. Public sector programs, where access control on document portals is often weak.
  4. B2B SaaS in logistics and manufacturing, where multi tenant isolation is shaky.

Cultural fit notes

European triagers value precise, calm reports. Aggressive language, demands for higher payout, or accusations of bias close doors quickly. The community is small, and reputation travels between programs faster than on the US platforms.

Scope reading on EU programs

  • Read the legal section first, some programs forbid testing from outside the EU.
  • Check the data classification section for what counts as PII in their model.
  • Note retest policies, some EU programs pay for retests, others do not.
  • Watch for cooling off periods after a finding is resolved, where retesting is blocked.

Payout patterns

Payouts on European platforms tend to be lower in absolute numbers than top US programs but the duplicate rate is also lower. The expected value per hour can be higher if you stay in the lane where competition is thin.

Less crowded scope, calmer triage, and predictable payouts. Europe rewards the patient hunter.

Building presence on a new platform

  1. Pick one mid sized public program, deliver three clean Mediums or one High.
  2. Engage in the platform community channels, where program managers watch quietly.
  3. Apply to private invites after thirty days of activity, not on day one.
  4. Keep your profile updated with skills, regions, and languages you operate in.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.