Skip to main content
Submission retesting

Leverage the crowd to validate your fixes!

L
Written by Lise
Updated over 3 weeks ago

If you're deploying a fix but don't have the capacity, expertise, or tools to retest it, we're here to help! You can simply request a retest to the researcher, who will check if the vulnerability is still reproducible to ensure everything is resolved for you.

✉️ Don't have access to this functionality? Please reach out to your Customer Success Manager for assistance.


Requesting a retest

You can request a researcher to retest any submission in the 'accepted' status for which your team has deployed a fix. To request a retest, you will need to provide the following information:

  1. Retest Bounty: Specify the bounty you're willing to pay the researcher for their efforts, with a minimum starting at 50 EUR/USD/GBP.

  2. Deadline: Define the deadline by which you want the fix to be tested, with a range between 5 to 30 days.

The researcher has until the deadline to accept or reject the request. If no action is taken by then, it will automatically expire allowing you to move the submission out of status accepted.

💡Only the submitter will receive a retest request.

Canceling a retest

If you no longer need the retest and wish to change the submission status to 'Closed,' you can cancel the retest request as long as the researcher has not yet accepted it.

Once the request is accepted and assigned, the researcher may already be working on it. Therefore, they should be compensated for their efforts upon submitting the results.

Accepting a retest

When the researcher submits the retest, the submission assignee will receive an email notification. Along with the overall result, you'll receive files demonstrating that the researcher has re-executed their proof-of-concept. This allows you to:

  • Confidently close the submission if the issue is no longer reproducible.

  • Provide feedback to your development teams if the problem persists.

After reviewing the retest results and proof, you need to accept the retest if everything meets your expectations. Only by accepting it will the researcher be awarded the previously defined retest bounty, and you'll be able to update the submission's status.

What's next?

If the retest shows that the vulnerability hasn't been fixed, you might want to request another one to validate your newly deployed fix.

Did this answer your question?