As programs receive vulnerability reports and work on deploying fixes, they need proof that their vulnerabilities have actually been fixed. Retesting enables programs to ask hackers to verify whether a vulnerability has been fixed to secure the protection of their data. If you submit a valid vulnerability report, programs can elect to invite you to retest the vulnerability to verify the fixes.
Upon successful completion of a retest, you’ll receive a bounty as well as +2 reputation.
How It Works
If you’ve submitted a valid vulnerability for a report, the program can request that you retest the vulnerability to make sure it’s been fixed.
If you’re invited to retest the vulnerability, you’ll receive a notification in your email to retest the report.
To participate in the retest:
Click View retest in your notification email.
Check to see that the vulnerability has been fixed.
Submit your findings in the Retest findings form at the bottom of the report. The form consists of these fields:
Are you able to reproduce the vulnerability report?
Please provide us with a short summary of how you retested the vulnerability and upload any attachments of your validations.
Click Submit.
The program can either approve or reject your results. If they choose to:
Action | Scenario | Details |
Mark as Resolved | You say the vulnerability is fixed. | You’ll be awarded a bounty. |
Retest not performed | You say the vulnerability is fixed. | The program will provide a summary explaining why they’ve rejected the retest. They can choose to request another retest for the vulnerability. |
Issue still exists | You say the vulnerability is not fixed. | You’ll be awarded a bounty. |
Retest not performed | You say the vulnerability is not fixed. | The program will provide a summary explaining why they’ve rejected the retest. The program can choose to request another retest for the report. |
Claiming Retest Opportunities
If the program is:
Program Type | Details |
Private | If you’re part of the private program offering retests, you can find and claim the retesting opportunities under Hacker Dashboard > Retesting. |
Public | You can claim retests for programs where you submitted at least 1 valid vulnerability (the report is resolved or triaged) under Hacker Dashboard > Retesting. |
To claim a retest:
Go to Hacker Dashboard > Retesting.
Click Claim retest for the retest you’re interested in. Keep in mind that you can only claim and work on 1 retest at a time.
View steps 3 and 4 in the section above to complete the retest.
Managing and Viewing Retests
You can track your retesting work under Hacker Dashboard > Retesting. You’ll be able to:
Claim open retests
See which retest you need to complete and the time you have left to complete it
View all of your completed retests