You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/programs/retesting.md
+19-7Lines changed: 19 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ id: "programs/retesting"
6
6
7
7
As programs receive vulnerability reports and work on deploying fixes, they need proof that their vulnerabilities have actually been fixed. Asking hackers to verify whether a vulnerability has been fixed is a good way to secure the protection of your asset’s data. You can elect to invite hackers to retest your vulnerabilities to verify fixes. Each hacker that participates in the retest will receive a $100 bounty upon completion.
8
8
9
-
><i>Inviting hackers to retest your vulnerabilities is a new feature that is currently in the beta phase. To be a part of the beta testing, please reach out to your program manager.</i>
9
+
><i>Inviting hackers to retest your vulnerabilities is a new feature that is currently in the beta phase.</i>
10
10
11
11
### Set Up
12
12
There’s currently no set up on your end that’s needed to enable the feature. Your program manager will enable the feature for you.
@@ -22,23 +22,35 @@ Once your program manager has enabled the feature, to have hackers retest a vuln
22
22
23
23
24
24
25
-
The original reporter as well as 4 random hackers participating in your program will be invited to retest the report through email.
25
+
4 random hackers participating in your program will be invited to retest the report through email.
26
26
27
-
27
+
28
28
29
-
When the hacker clicks <b>View retest</b> in the email, they’ll be able to familiarize themselves with the vulnerability report and check to see that the vulnerability is properly fixed. After they’ve tested the vulnerability, they can click the <b>answer these questions</b> link in the report banner to submit their findings.
29
+
In addition, the hacker that originally submitted the report will also be invited to participate in the retest.
30
+
31
+
32
+
33
+
When the hacker clicks <b>View retest invitation</b> in the email, they’ll be able to <b>Accept</b> or <b>Reject</b> the invitation.
34
+
35
+
36
+
37
+
Upon acceptance, participating hackers will be able to familiarize themselves with the vulnerability report and check to see that the vulnerability is properly fixed. After they’ve tested the vulnerability, they can click the <b>answer these questions</b> link in the report banner to submit their findings.
30
38
31
39
32
40
33
41
The hacker will be asked to answer the following questions:
34
42
* Are you able to reproduce the vulnerability?
35
43
* Are you able to identify a bypass to the fix?
36
44
37
-
45
+
38
46
39
47
If they were able to identify a bypass, they can can submit a new vulnerability report and enter the report ID in the questionnaire.
40
48
41
-
49
+
50
+
51
+
Hackers are also asked to provide a short summary of how they retested the vulnerability, and are also able to upload any attachments of their validations.
52
+
53
+
42
54
43
55
Upon submission of the questionnaire, you’ll be notified that a hacker has completed a retest of your report within the report timeline and also through email.
44
56
@@ -52,4 +64,4 @@ Hackers that completed the retest will automatically be awarded $100. The paymen
52
64
53
65
54
66
55
-
<i>There’s currently no effect to reputation for verifying vulnerability fixes and there’s also no time limit for hackers to complete the retest.</i>
67
+
><i>There’s currently no effect to reputation for verifying vulnerability fixes and there’s also no time limit for hackers to complete the retest.</i>
0 commit comments