When companies apply fixes to address vulnerabilities, it’s crucial for them to ensure those fixes are effective. Sometimes, they may lack the in-house capacity, tools, or expertise to verify this. That's where your expertise comes in. Companies can request your help by asking you to retest the fixes and confirm that the vulnerabilities are no longer reproducable.
Receiving a retest request
When a company requests a retest of a submission, you'll receive an email notification containing the submission reference, the retest bounty, and the deadline.
You can also find the request in your inbox on the original submission, easily recognized by the following icon: 🔁.
💡Only the researcher who submitted of the submission will receive and have access to the retest request.
Responding to a retest request
You have until the deadline to respond and complete the retest. We strongly recommend responding to the retest request by either accepting or rejecting it as soon as possible. This way, the company will swiftly know whether you will assist them.
To start the retest, click 'Accept'. This will grant you access to the retest, allowing you to begin completing the necessary information. If you do not want to execute the retest, click 'Reject'.
Submitting a retest
Once you accepted the retest, you have until the deadline to reproduce the vulnerability as described in the proof-of-concept of your original submission and submit the results.
❗Any variations or workarounds, also known as bypasses, are out of scope. However, if identified, they should be reported as new, separate submissions.
Along with the overall result, you'll need to provide a few screenshots/files to demonstrate that you have re-executed your proof-of-concept. This enables companies to confidently close the submission if it is no longer reproducible or provide feedback to their development teams if the issue persists.
After providing the requested information, click 'Submit retest' to share your results with the company.
Getting a retest bounty
The company will review the retest results and proof. If everything meets their expectations, you will be awarded the previously communicated retest bounty.
If your retest indicated that the vulnerability wasn't fixed, you might receive another request to validate their fix again.