Security Bounty Program

We are WHMCS, the complete web hosting automation solution

Security researchers play an important part in helping keep our product secure and so in an effort to reward those who discover and report issues to us in a responsible way, we offer monetary rewards.

How much do you pay for the discovery of security vulnerabilities?

Rewards range from $75.00 to $5,000.00 depending on the type and severity of the vulnerability being reported.

Rewards can be paid out via PayPal, BitCoin, or Western Union.

What qualifies as a vulnerability?

Any design or implementation issue within the WHMCS software that substantially affects the confidentiality or integrity of user data or the system.

Examples include:

What is out of Scope?

Note: Vulnerability reports submitted regarding third party applications are communicated to the proper party and WHMCS works with these parties to coordinate a fix wherever possible.

How do I participate?

To begin, click here to register as a tester. You will need to accept our bounty terms prior to engaging in testing. If you have identified a vulnerability, you must report it responsibly via our bounty program to be eligible for a reward. Not every report may qualify for a reward.


We would like to thank the following individuals, researchers and firms who have helped make WHMCS better through responsible disclosure.