Security Bounty Program

Introduction

Security researchers play an important part in helping keep our product secure.

Our Security Bounty Program is our way to reward security researchers for finding and reporting security vulnerabilities to us.

Participation

The WHMCS Security Bounty Program is managed through Bugcrowd. Please report any vulnerabilities via our Bugcrowd page.

Questions & Answers

Q: How do I participate?

The WHMCS Security Bounty Program is managed through Bugcrowd. Please report any vulnerabilities through our Bugcrowd page.

If you have identified a vulnerability, you must report it responsibly via our bounty program to be eligible for a reward. Not every report may qualify for a reward.

Q: How much do you pay for the discovery of security vulnerabilities?

Rewards range from $75.00 to $5,000.00 depending on the type and severity of the vulnerability being reported.

Rewards can be paid out via PayPal, BitCoin, or Western Union.

Q: What qualifies as a vulnerability?

Any design or implementation issue within the WHMCS software that substantially affects the confidentiality or integrity of user data or the system.

Examples include:

Cross-site scripting
Cross-site Request Forgery
Privilege escalation
Authentication or Authorization flaws
Information Disclosure

Q: What is out of Scope?

Known issues or previously reported vulnerabilities
Security vulnerabilities in third-party applications that integrate with WHMCS.
Security vulnerabilities in the underlying operating system.

Note: Vulnerability reports submitted regarding third party applications are communicated to the proper party and WHMCS works with these parties to coordinate a fix wherever possible.

Acknowledgements

We would like to thank the following individuals, researchers and firms who have helped make WHMCS better through responsible disclosure.