As programs receive vulnerability reports and work on deploying fixes, they need proof that their vulnerabilities have actually been fixed. Retesting enables programs to ask hackers to verify whether a vulnerability has been fixed in order to secure the protection of their data. If you submit a valid vulnerability report, programs can elect to invite you to retest the vulnerability to verify the fixes.
Upon successful completion of a retest, you’ll receive $50 in bounty as well as +2 reputation.
If you’ve submitted a valid vulnerability for a report, the program can request to have you retest the vulnerability to make sure it’s been fixed.
If you’re invited to retest the vulnerability, you’ll receive a notification in your email to retest the report.
To participate in the retest:
- Click View retest in your notification email.
- Check to see that the vulnerability has been fixed.
Submit your findings in the Retest findings form at the bottom of the report. The form consists of these fields:
- Are you able to reproduce the vulnerability report?
- Please provide us with a short summary of how you retested the vulnerability and upload any attachments of your validations.
- Click Submit.
The program can either approve or reject your results. If they choose to:
|Approve and resolve the retest||You say the vulnerability is fixed.||You’ll be awarded a $50 bounty.
The report will close and will be marked as Resolved.
|Reject the retest||You say the vulnerability is fixed.||The program will provide you with a summary explaining why they’ve rejected the retest. They can choose to request another retest for the vulnerability.
The status of the report will be changed to Triaged. the report will be changed to Triaged.
|Approve the retest||You say the vulnerability is not fixed.||You’ll be awarded a $50 bounty.
The report will move back to Triaged and will stay open for the program to implement a fix.
|Reject the retest||You say the vulnerability is not fixed.||The program will provide you with a summary explaining why they’ve rejected the retest. The program can choose to request another retest for the report.
The status of the report will be changed to Triaged.
If you’re not the original hacker, and the original hacker of the report chooses to reject the retest, you and other hackers can claim the retesting opportunities depending on your retesting rights.
If the program is:
|Private||If you’re part of the private program offering retests, you can find and claim the retesting opportunities under Hacker Dashboard > Retesting.|
|Public||You’ll be able to claim retests for programs where you submitted at least 1 valid vulnerability (the report is resolved or triaged) under Hacker Dashboard > Retesting.|
To claim a retest:
- Go to Hacker Dashboard > Retesting.
- Click Claim retest for the retest you’re interested in. Keep in mind that you can only claim and work on 1 retest at a time. Upon claiming a retest, you’ll have 24 hours to complete the retest.
- View steps 3 and 4 in the section above to complete the retest.
You can keep track of all of your retesting work under Hacker Dashboard > Retesting. You’ll be able to:
- Claim open retests
- See which retest you need to complete and the time you have left to complete it.
- View all of your completed retests