How much do you pay for the discovery of security vulnerabilities?
Rewards range from $75.00 to $5,000.00 depending on the type and severity of the vulnerability being reported.
Rewards can be paid out via PayPal, BitCoin, or Western Union.
What qualifies as a vulnerability?
Any design or implementation issue within the WHMCS software that substantially affects the confidentiality or integrity of user data or the system.
- Cross-site scripting
- Cross-site Request Forgery
- Privilege escalation
- Authentication or Authorization flaws
- Information Disclosure
What is out of Scope?
- Known issues or previously reported vulnerabilities
- Security vulnerabilities in third-party applications that integrate with WHMCS.
- Security vulnerabilities in the underlying operating system.
Note: Vulnerability reports submitted regarding third party applications are communicated to the proper party and WHMCS works with these parties to coordinate a fix wherever possible.
How do I participate?
To begin, click here to register as a tester. You will need to accept our bounty terms prior to engaging in testing. If you have identified a vulnerability, you must report it responsibly via our bounty program to be eligible for a reward. Not every report may qualify for a reward.
We would like to thank the following individuals, researchers and firms who have helped make WHMCS better through responsible disclosure.