Security Bounty Program

The WHMCS Security Bounty Program is managed through private invite-only HackerOne program. Please use the contacts listed in the security.txt to send reports.

If you have identified a vulnerability, you must report it responsibly via our bounty program to be eligible for a reward. Not every report may qualify for a reward.

Rewards range from $100.00 to $2,000.00 depending on the type and severity of the vulnerability being reported.

Payments are made via our private HackerOne program only, to which you will be invited if your report is valid.

Any design or implementation issue within the WHMCS software that substantially affects the confidentiality or integrity of user data or the system.

Examples include:

• Cross-site scripting
• Cross-site Request Forgery
• Privilege escalation
• Authentication or Authorization flaws
• Information Disclosure

The detailed scope will be sent to email upon request.

• Known issues or previously reported vulnerabilities
• Security vulnerabilities in third-party applications that integrate with WHMCS
• Security vulnerabilities in the underlying operating system
• All the issues listed in Core Ineligible Findings

Note: Vulnerability reports submitted regarding third party applications are communicated to the proper party and WHMCS works with these parties to coordinate a fix wherever possible.