Skip to main content

Retesting

Hackers: Learn how retesting works at HackerOne

Updated this week

As programs receive vulnerability reports and work on deploying fixes, they need proof that their vulnerabilities have actually been fixed. Retesting enables programs to ask hackers to verify whether a vulnerability has been fixed to secure the protection of their data. If you submit a valid vulnerability report, programs can elect to invite you to retest the vulnerability to verify the fixes.

Upon successful completion of a retest, you’ll receive a bounty as well as +2 reputation.

How It Works

If you’ve submitted a valid vulnerability for a report, the program can request that you retest the vulnerability to make sure it’s been fixed.

If you’re invited to retest the vulnerability, you’ll receive an email notification to retest the report.

To participate in the retest:

  1. Click View retest in your notification email.

  2. Check to see that the vulnerability has been fixed.

  3. Submit your findings in the Retest findings form at the bottom of the report. The form consists of these fields:

    • Are you able to reproduce the vulnerability report?

    • Please provide us with a short summary of how you retested the vulnerability and upload any attachments of your validations.

  4. Click Submit.

The program can either approve or reject your results. If they choose to:

Action

Scenario

Details

Mark as Resolved

You say the vulnerability is fixed.

You’ll be awarded a bounty.

The report will close and will be marked as Resolved.

Retest not performed

You say the vulnerability is fixed.

The program will provide a summary explaining why they’ve rejected the retest. They can choose to request another retest for the vulnerability.

The status of the report will be changed to Triaged.

Issue still exists

You say the vulnerability is not fixed.

You’ll be awarded a bounty.

The report will revert to Triaged and stay open for the program to implement a fix.

Retest not performed

You say the vulnerability is not fixed.

The program will provide a summary explaining why they’ve rejected the retest. The program can choose to request another retest for the report.

The status of the report will be changed to Triaged.

Managing and Viewing Retests

You can track your retesting work under Hacker Dashboard > Retesting. You’ll be able to:

  • Claim open retests

  • See which retest you need to complete and the time you have left to complete it

  • View all of your completed retests

Did this answer your question?