When companies apply fixes to address vulnerabilities, it’s crucial for them to ensure those fixes are effective. Sometimes, they may lack the in-house capacity, tools, or expertise to verify this. That's where your expertise comes in. Companies can request your help by asking you to retest the fixes and confirm that the vulnerabilities are no longer reproducable.

When a company requests a retest of a submission, you'll receive an email notification containing the submission reference, the retest bounty, and the deadline.

You can also find the request in your inbox on the original submission, easily recognized by the following icon: 🔁.

You have until the deadline to respond and complete the retest. We strongly recommend responding to the retest request by either accepting or rejecting it as soon as possible. This way, the company will swiftly know whether you will assist them.

To start the retest, click 'Accept'. This will grant you access to the retest, allowing you to begin completing the necessary information. If you do not want to execute the retest, click 'Reject'.

Once you accepted the retest, you have until the deadline to reproduce the vulnerability as described in the proof-of-concept of your original submission and submit the results.

Along with the overall result, you'll need to provide a few screenshots/files to demonstrate that you have re-executed your proof-of-concept. This enables companies to confidently close the submission if it is no longer reproducible or provide feedback to their development teams if the issue persists.

After providing the requested information, click 'Submit retest' to share your results with the company.

The company will review the retest results and proof. If everything meets their expectations, you will be awarded the previously communicated retest bounty.

If your retest indicated that the vulnerability wasn't fixed, you might receive another request to validate their fix again.