Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 0be07eb

Browse files
stacyspivastacyspiva
committed
retesting update for program book
1 parent 4187348 commit 0be07eb

File tree

3 files changed

+22
-45
lines changed

3 files changed

+22
-45
lines changed

docs/programs/images/retesting-approval-form.png

15.8 KB
Loading

docs/programs/images/retesting-form.png

121 KB
Loading

docs/programs/retesting.md

Lines changed: 22 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -4,62 +4,39 @@ path: "/programs/retesting.html"
44
id: "programs/retesting"
55
---
66

7-
As programs receive vulnerability reports and work on deploying fixes, they need proof that their vulnerabilities have actually been fixed. Asking hackers to verify whether a vulnerability has been fixed is a good way to secure the protection of your asset’s data. You can elect to invite hackers to retest your vulnerabilities to verify fixes. Each hacker that participates in the retest will receive a $50 bounty upon completion.
7+
As programs receive vulnerability reports and work on deploying fixes, they need proof that their vulnerabilities have actually been fixed. Retesting is a good way to secure the protection of your asset’s data by asking hackers to verify whether a vulnerability has been fixed. With retesting, you can elect to have hackers retest your vulnerabilities to verify the fixes. The hacker that participates in the retest will receive a $50 bounty upon completion.
88

99
> Retesting is available as an add-on. To learn more about adding Retesting to your program, contact your account manager.
1010
1111
### How It Works
1212
To have hackers retest a vulnerability:
13-
1. Choose the <b><i>Resolved</i></b> report in your inbox that you want to assign hackers to retest. **Note:** Your report must be [closed and marked as Resolved](report-actions.html#close-a-report) in order to retest.
13+
1. Choose the report in your inbox that you want to assign a hacker to retest.
14+
2. Change the action picker to **Request retest**.
15+
3. Click **Confirm retest**.
1416

15-
2. Change the action picker to <b>Request retest</b>.
16-
3. Click <b>Request retest</b>.
17+
The original hacker that submitted the vulnerability will be invited to take part in the retest.
1718

18-
![request retest button](./images/retest_update_6a.png)
19+
After accepting the retest, the hacker will have 24 hours to confirm if the vulnerability has been properly fixed. If the hacker doesn’t finish the retest within 24 hours, their retest opportunity will expire and a different hacker will be able to claim the retest.
1920

20-
2 hackers participating in your program will be invited to retest the report through email.
21+
The hacker will submit their findings in the **Retest findings** form at the bottom of the report. The form consists of these fields:
22+
* Are you able to reproduce the vulnerability report?
23+
* Please provide us with a short summary of how you retested the vulnerability and upload any attachments of your validations.
2124

22-
![email to see retest invitation](./images/retesting_update_2.png)
25+
![retesting form](./images/retesting-form.png)
2326

24-
In addition, the hacker that originally submitted the report will also be invited to participate in the retest, so that there will be a total of 3 retesters for your report.
27+
After the hacker submits their findings, you’ll be prompted to either Approve and resolve or Reject the retest.
2528

26-
![retest email for original hacker](./images/retesting-3c.png)
29+
![retesting approval form](./images/retesting-approval-form.png)
2730

28-
When the hacker clicks <b>View retest invitation</b> in the email, they’ll be able to <b>Accept</b> or <b>Reject</b> the invitation.
31+
If you choose to:
2932

30-
![retest invitation](./images/retesting-4b.png)
33+
Action | Scenario | Details
34+
------ | -------- | --------
35+
**Aprove and resolve** the retest | The hacker says the vulnerability is fixed. | The report will close and will be marked as *Resolved*. The hacker will also be awarded a $50 bounty.
36+
**Reject** the retest | The hacker says the vulnerability is fixed. | You’ll need to provide a summary to the hacker explaining why you’ve rejected the retest. You can choose to request another retest for the report, by going back to step 1. <br><br>The status of the report will be changed to *Triaged*.
37+
**Approve** the retest | The hacker says the vulnerability is not fixed. | The report will move back to Triaged and will stay open for the team to implement a fix. The hacker will be awarded a $50 bounty.
38+
**Reject** the retest | The hacker says the vulnerability is not fixed. | You’ll need to provide a summary to the hacker explaining why you’ve rejected the retest. You can choose to request another retest for the report, by going back to step 1. <br><br>The status of the report will be changed to *Triaged*.
3139

32-
Upon acceptance, participating hackers will be able to familiarize themselves with the vulnerability report and check to see that the vulnerability is properly fixed. After they’ve tested the vulnerability, they can click the <b>answer these questions</b> link in the report banner to submit their findings.
33-
34-
![answer these questions link in banner](./images/retesting_update_3.png)
35-
36-
The hacker will be asked to answer the following questions:
37-
* Are you able to reproduce the vulnerability?
38-
* Are you able to identify a bypass to the fix?
39-
40-
![retest questionnaire](./images/retesting_update_1.png)
41-
42-
If they were able to identify a bypass, they can can submit a new vulnerability report and enter the report ID in the questionnaire.
43-
44-
![submitting a new report through retest](./images/retesting-6b.png)
45-
46-
Hackers are also asked to provide a short summary of how they retested the vulnerability, and are also able to upload any attachments of their validations.
47-
48-
![summary and screenshots](./images/retesting-6d.png)
49-
50-
Upon submission of the questionnaire, you’ll be notified that a hacker has completed a retest of your report within the report timeline and also through email.
51-
52-
![notification that hacker completed retest](./images/retest_update_5.png)
53-
54-
Click on <b>View results</b> to see the status and findings of the retest efforts. If the hacker was able to find a bypass to the vulnerability, you can view the new vulnerability report.
55-
56-
![retest results popup](./images/retesting-8.png)
57-
58-
Hackers that completed the retest will automatically be awarded $50. The payment is a regular bounty payment and the transaction for retesting will show in your billing overview statement.
59-
60-
![billing notification](./images/retesting_payment.png)
61-
62-
><i>There’s currently no effect to reputation for verifying vulnerability fixes and there’s also no time limit for hackers to complete the retest.</i>
63-
64-
### Payments
65-
You can opt-in to pay for retesting through Retest Bundles. With Retest Bundles, you can purchase a bundle of retests that can be used with your HackerOne subscription. When you use all of your retests, you can choose to purchase more. Contact your program manager to learn more about bundle options. <br><br>![retesting bundles](./images/retesting_bundles.png)
40+
If the original hacker declines to take part in the retest and your program is:
41+
* Private, then another hacker that’s part of your program will have the opportunity to claim and perform the retest.
42+
* Public, then any hacker with at least 1 resolved or triaged report will be able to claim the retest.

0 commit comments

Comments
 (0)