This bounty program is for the WHMCS product: an all-in-one client management, billing & support solution. The product is used primarily by web host companies but also other types of online businesses. It is a self-hosted PHP based application installed and managed by those companies (operator).
As a Researcher you will be targeting your own deployment of the product. You will utilize your knowledge and skill to find security flaws in the implementation of the software, whose design is to provide automation around client management.
Reports will be reviewed and evaluated on an individual bases. You can expect valid security flaws to be rewarded base on both technical and business impact.
Make sure to read the entire Program Brief below to understand more about scope, non disclosure, and rewards. Researcher success is important to us and Bugcrowd so please reach out to email@example.com if you need clarity or assistance.
You will be researching WHMCS, a LAMP application. You will need to install and configure your own instance on your own infrastructure.
Testing against production instances is STRICTLY prohibited; See Targets below for more information.
WHMCS is licensed software. Testing licenses for WHMCS are made available free of charge to Bugcrowd security researchers. Keys issued for the purposes of security research and development are valid for a period of 90 days at a time, and must be installed either in a localhost environment or behind a password protected directory - never publicly accessible to the Internet.
To obtain a license, please email firstname.lastname@example.org with the string "WHMCS installation code" in the email. Once you have completed registration, you will be able to access your testing license and download the software from WHMCS directly.
Unauthenticated and client authenticated areas of WHMCS are the most valued focuses.
Authenticated admin area is also a good focus, however please keep in mind permissions granted to the "full admin" role, but not to others, implicitly defines super privileges. Features and input associated with super privileges may (by design) permit for stored markup or may be used in combination with other permissions to the detriment of a business and their clients.
Each report will be evaluated & variably rewarded based on both technical and business impact given the focus and trust outlined in the above paragraph. The reward structure is provided in the Reward section below. It is a good example of what researchers with valid reports can expect.
Below is a list of some of the vulnerability classes that we are seeking reports for:
Ensure you review the Targets and Rules & Limitations sections below for further details.
Beyond the list of Common "Non-qualifying" Submission Types itemized in the Standard Disclosure Terms , the following finding types are specifically excluded from the bounty and will not receive a monetary reward:
WHMCS application, hosted by the researcher in a non-public environment.
The following are specifically excluded from scope and should not be tested:
To be considered valid, submissions must at a minimum describe a security flaw within the WHMCS codebase.
Attack vectors or information required to leveraging a security flaw must be possible despite the Further Security Steps recommendation provided to all WHMCS customers. Details can be found here: http://docs.whmcs.com/Further_Security_Steps. Any report which cannot be reproduced in an environment that has followed the Further Security Steps will be considered invalid.
You will qualify for a monetary reward if you are
the first person to alert the program owner to a previously unknown issue in the current Active Development version of WHMCS
and the issue triggers a code or configuration change.
You can find more details about how rewards work in the Bugcrowd Standard Disclosure Terms.
Any retaliatory remarks will be reported to Bugcrowd for review and assessment against the Code of Conduct which may result in consequences as outlined in the aforementioned document.
Furthermore, any retaliatory actions or harm to WHMCS or its customers resulting from behavior expressly forbidden within the Bugcrowd Platform or this Program will be reported to WHMCS legal counsel pursuant of damages.
_Please Note: This program does *not allow_ * disclosure. You may not release information about vulnerabilities found in this program to the public.
If a researcher wants to retain disclosure rights, they may put forth a proposal that will be considered under the most extreme and convincing circumstances.
In summary: all submissions made through the Bugcrowd platform, rewarded or not, including Duplicates, Out of Scope, and Not Applicable submissions, are not to be disclosure at any level of detail to the public at any time unless guided by WHMCS following explicit, written permission.
If this is unacceptable, we humbly request researchers find another Program that is more aligned to their needs and perspective.
Monetary rewards are variable and guided by Category and Tier as illustrated in the table below.
Category | Tier 1 | Tier 2 | Tier 3 | Tier 4
P1 | Up to $5,000 | Up to $2,500 | Up to $1250 | Up to $750
P2 | Up to $2,500 | Up to $1,250 | Up to $750 | Up to $500
P3 | Up to $1,250 | Up to $500 | Up to $250 | Up to $75
P4 | Up to $250 | Up to $125 | Up to $75 | --
The follow Tier segmentations provide a guideline for evaluating potential business risk and impact. These should help inform you, the researcher, of the value WHMCS places on your technical efforts within the scope of this Program. Besides these tier guidelines, exceptionally findings and collaborations that do not easily fit the in matrix may be rewarded uniquely.
Unauthenticated and unaided
The matrix above is based on one single request. Any reproduction steps that requires multiple attack requests, staged/stored content, broken configurations, or multiple sources of authority/authorization (ie second order, multi-user, illogical permission sets) can expect to receive no more that half of the guideline reward.
Any payout is at the discretion of the WHMCS Security Team. Any disagreement about assessment of category, tier, or payout should be discussed in the report and with email@example.com.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.