The target for this bounty is an all-in-one client management, billing & support solution intended primarily for web hosts, but also used by other types of online businesses.
The application scope for this test is:
- The WHMCS software application.
- Must be downloaded and properly installed on your own hosting environment.
- Proper installation includes performing the Further Security Steps (http://docs.whmcs.com/Further_Security_Steps).
The WHMCS installation package includes a number of addons - Project Management Addon, Licensing Addon, Configurable Package Addon and Mobile Edition. This covers all PHP code included with the download of WHMCS.
Testing licenses are made available free of charge to BugCrowd security researchers. Keys issued for the purposes of security research and development are valid for a period of 90 days at a time, and must be installed either in a localhost environment or behind a password protected directory - never publicly accessible to the Internet.
To obtain a license, please email firstname.lastname@example.org with the string "WHMCS installation code" in the email.
To be considered, submissions must work against an install that has had the Further Security Steps applied at installation. Details can be found here: http://docs.whmcs.com/Further_Security_Steps
The following are specifically excluded from scope and should not be tested:
- Any hosted server at *.whmcs.com - Testing against live production instances is STRICTLY forbidden. Testing against systems hosted by WHMCS or their customers will result in a disqualification of your submission.
- The WHMCS iPhone app
- The WHMCS Android app
- The WHMCS Windows Mobile app
The following finding types are specifically excluded from the bounty:
- General product bugs that do not have a security impact
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Self-XSS and issues exploitable only through Self-XSS.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’
- Impact from third-party code that augments core functionality (i.e, hooks, modules)
- License circumvention by means of deobfuscation, core code replacement, other means for product mutation
As well, Admin Area XSS and Stored XSS will be considered, but can be expected to be resolved as Not Applicable given the nature that Admins are authorized to create marked up content.
You will qualify for a reward if you were the first person to alert the program owner to a previously unknown issue and the issue triggers a code or configuration change. Find more details about how rewards work in the Bugcrowd Standard Disclosure Terms.
Qualifying submissions will be given monetary rewards and Bugcrowd Kudos points based on both the severity and impact of the issue being reported. Maximum payouts are as follows – all prices in USD:
Arbitrary Code Execution: $5,000
SQL Injection: $2,500
Authentication Bypass: $1,500
Cross-site request Forgery: $300
Cross-site Scripting: $250
If a valid bug requires Admin access, the bounty amount is halved.
Reporters are expected to keep details of a vulnerability private both prior to and after payment of a reward.