As programs receive vulnerability reports and work on deploying fixes, they need proof that their vulnerabilities have actually been fixed. Asking hackers to verify whether a vulnerability has been fixed is a good way to secure the protection of your asset’s data. You can elect to invite hackers to retest your vulnerabilities to verify fixes. Each hacker that participates in the retest will receive a $50 bounty upon completion.

Retesting is available as an add-on. To learn more about adding Retesting to your program, contact your account manager.

How It Works

To have hackers retest a vulnerability:

  1. Choose the Resolved report in your inbox that you want to assign hackers to retest. Note: Your report must be closed and marked as Resolved in order to retest.
  2. Change the action picker to Request retest.
  3. Click Request retest.

request retest button

2 hackers participating in your program will be invited to retest the report through email.

email to see retest invitation

In addition, the hacker that originally submitted the report will also be invited to participate in the retest, so that there will be a total of 3 retesters for your report.

retest email for original hacker

When the hacker clicks View retest invitation in the email, they’ll be able to Accept or Reject the invitation.

retest invitation

Upon acceptance, participating hackers will be able to familiarize themselves with the vulnerability report and check to see that the vulnerability is properly fixed. After they’ve tested the vulnerability, they can click the answer these questions link in the report banner to submit their findings.

answer these questions link in banner

The hacker will be asked to answer the following questions:

  • Are you able to reproduce the vulnerability?
  • Are you able to identify a bypass to the fix?

retest questionnaire

If they were able to identify a bypass, they can can submit a new vulnerability report and enter the report ID in the questionnaire.

submitting a new report through retest

Hackers are also asked to provide a short summary of how they retested the vulnerability, and are also able to upload any attachments of their validations.

summary and screenshots

Upon submission of the questionnaire, you’ll be notified that a hacker has completed a retest of your report within the report timeline and also through email.

notification that hacker completed retest

Click on View results to see the status and findings of the retest efforts. If the hacker was able to find a bypass to the vulnerability, you can view the new vulnerability report.

retest results popup

Hackers that completed the retest will automatically be awarded $50. The payment is a regular bounty payment and the transaction for retesting will show in your billing overview statement.

billing notification

There’s currently no effect to reputation for verifying vulnerability fixes and there’s also no time limit for hackers to complete the retest.


You can opt-in to pay for retesting through Retest Bundles. With Retest Bundles, you can purchase a bundle of retests that can be used with your HackerOne subscription. When you use all of your retests, you can choose to purchase more. Contact your program manager to learn more about bundle options.

retesting bundles