Security Bounty Program

Introduction

Security researchers play an important part in helping keep our product secure.

Our Security Bounty Program is our way to reward security researchers for finding and reporting security vulnerabilities to us.

Participation

The WHMCS Security Bounty Program is managed through Bugcrowd. Please report any vulnerabilities via our Bugcrowd page.

Questions & Answers

The WHMCS Security Bounty Program is managed through Bugcrowd. Please report any vulnerabilities through our Bugcrowd page.

If you have identified a vulnerability, you must report it responsibly via our bounty program to be eligible for a reward. Not every report may qualify for a reward.

Rewards range from $75.00 to $5,000.00 depending on the type and severity of the vulnerability being reported.

Rewards can be paid out via PayPal, BitCoin, or Western Union.
Any design or implementation issue within the WHMCS software that substantially affects the confidentiality or integrity of user data or the system.

Examples include:
  • Cross-site scripting
  • Cross-site Request Forgery
  • Privilege escalation
  • Authentication or Authorization flaws
  • Information Disclosure
  • Known issues or previously reported vulnerabilities
  • Security vulnerabilities in third-party applications that integrate with WHMCS.
  • Security vulnerabilities in the underlying operating system.

Note: Vulnerability reports submitted regarding third party applications are communicated to the proper party and WHMCS works with these parties to coordinate a fix wherever possible.

Acknowledgements

We would like to thank the following individuals, researchers and firms who have helped make WHMCS better through responsible disclosure.

Report an issue

Visit our Bugcrowd page to report an issue.

Report an Issue