Note the targets of this program. You are only allowed to test on a WHMCS instance that you spin up and own.
This bounty program is for the WHMCS product: an all-in-one client management, billing & support solution. The product is used primarily by web host companies but also other types of online businesses. It is a self-hosted PHP based application installed and managed by those companies (operator).
As a Researcher, you will be targeting your own deployment of the product. You will utilize your knowledge and skill to find security flaws in the implementation of the software, whose design is to provide automation around client management.
Reports will be reviewed and evaluated on an individual basis. You can expect valid security flaws to be rewarded base on both technical and business impact.
Make sure to read the entire Program Brief below to understand more about the scope, non-disclosure, and rewards. Researcher success is important to us and Bugcrowd so please reach out to firstname.lastname@example.org if you need clarity or assistance.
Please do not target or submit reports for production websites operated by WHMCS. The program is exclusively concerned with security research for the self-hosted WHMCS software.
Out of scope
Testing is only authorized on the targets listed as In-Scope. Any domain/property of WHMCS not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
You will be researching WHMCS, a LAMP application. You will need to install and configure your own instance on your own infrastructure.
WHMCS is licensed software. Testing licenses for WHMCS are made available free of charge to Bugcrowd security researchers. Keys issued for the purposes of security research and development are valid for a period of 90 days at a time, and must be installed either in a localhost environment or behind a password protected directory - never publicly accessible to the Internet.
To obtain a license, please email firstname.lastname@example.org with the string "WHMCS installation code" in the email. Once you have completed registration, you will be able to access your testing license and download the software from WHMCS directly.
NOTE: Testing against production instances (or any instance not owned by you) is STRICTLY prohibited
- Unauthenticated and client authenticated areas of WHMCS are the most valued focuses.
- Authenticated admin area is also a good focus, however please keep in mind permissions granted to the "full admin" role, but not to others, implicitly defines super privileges. Features and input associated with super privileges may (by design) permit for stored markup or may be used in combination with other permissions to the detriment of a business and their clients.
- Each report will be evaluated & variably rewarded based on both technical and business impact given the focus and trust outlined in the above paragraph. The reward structure is provided in the Reward section below. It is a good example of what researchers with valid reports can expect.
- Below is a list of some of the vulnerability classes that we are seeking reports for:
- Server-side Remote Code Execution (RCE)
- SQL Injection (SQLi)
- Authentication Bypass
- Cross-site Request Forgery (CSRF)
- Cross-site Scripting (XSS)
Beyond the list of Common "Non-qualifying" Submission Types itemized in the Standard Disclosure Terms , the following targets and vulnerabilities are specifically excluded from scope and should not be tested:
- Any server or service hosted by WHMCS including (but not limited to) whmcs.com, subdomains (*.whmcs.com), whmcs.community, etc.
- Live production instances of the WHMCS product: Testing against live production instances is STRICTLY forbidden.
- Testing against systems hosted by WHMCS or their customers will result in a disqualification of your submission.
- Not only is testing against production systems disruptive for operators but also problematic from a research standpoint. Observed flawed behavior of a production system outside your control might be due to issues not related to the product and thus not reproducible (and thus not eligible for reward).
- Any distributed dependency of the WHMCS application including such as PHP & JS packages/libraries not authored by WHMCS.
- External services provided by WHMCS utilized by the WHMCS application,
- External services/APIs utilized by the WHMCS application for integration to vendor services, such as merchant gateways, SASS platforms, etc.
- External services offered through the MarketConnect reseller channel
- Server environment context or behaviors, such as the LAMP stack, OpenSSL or cURL libraries, etc.
- Software solutions or services for which WHMCS is a distribution partner, such as Chatstack Live Chat (distributed by WHMCS at the MarketPlace)
- General product bugs that do not have a security impact
- Miscalculation of payment, tax, or other bug related to improper billing for access to services.
- License circumvention by means of deobfuscation, core code replacement, other means for product mutation.
- Self-XSS and issues exploitable only through Self-XSS.
- Stored XSS created by Admin (whose privileges allow content creation for use by lesser or equally privileged admins, clients, or site visitors).
- CSRF on forms that are available to anonymous users or for customization (i.e. the contact form, login form, etc).
- SSRF by Admin with privilege to access or manage 1) remote servers/3rd-party integrations and/or B) configurations within WHMCS for servers or integrations.
- Exploits requiring control of servers configured in (and implicitly under the automation authority of) the WHMCS instance.
- Presence of application or web browser ‘autocomplete’ or ‘save password’
- Impact from third-party code that augments core functionality (i.e, hooks, modules)
- Any flaw requiring access to, or execution of, files or routines of the manual installer/updater.
- Disclosure of access credentials for remote systems to Admins authorized to access respective system.
The WHMCS application has many service integrations (modules). In most cases, these integrations will be managed by WHMCS. Of course, the design of the services' API will be a limiting factor to the level of security that may be possible and practical for WHMCS. In other cases the integration code will have been provided directly from the service provider and maintenance/security will need to be handled by them; WHMCS simply provides the integration as part of the packaged application. Reports against these integrations will be evaluated for scope applicability. Researchers will be provided an appropriate contact when available if it is not applicable for the WHMCS security team.
Rules & Limitations
To be considered valid, submissions must at a minimum describe a security flaw within the WHMCS codebase.
Attack vectors or information required to leveraging a security flaw must be possible despite the Further Security Steps recommendation provided to all WHMCS customers. Details can be found here: http://docs.whmcs.com/Further_Security_Steps. Any report which cannot be reproduced in an environment that has followed the Further Security Steps will be considered invalid.
You will qualify for a monetary reward if you are:
- the first person to alert the program owner to a previously unknown issue in the current Active Development version of WHMCS
- and the issue triggers a code or configuration change.
You can find more details about how rewards work in the Bugcrowd Standard Disclosure Terms.
Any retaliatory remarks will be reported to Bugcrowd for review and assessment against the Code of Conduct which may result in consequences as outlined in the aforementioned document.
Furthermore, any retaliatory actions or harm to WHMCS or its customers resulting from behavior expressly forbidden within the Bugcrowd Platform or this Program will be reported to WHMCS legal counsel pursuant of damages.
Please Note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
If a researcher wants to retain disclosure rights, they may put forth a proposal that will be considered under the most extreme and convincing circumstances.
In summary: all submissions made through the Bugcrowd platform, rewarded or not, including Duplicates, Out of Scope, and Not Applicable submissions, are not to be disclosure at any level of detail to the public at any time unless guided by WHMCS following explicit, written permission.
If this is unacceptable, we humbly request researchers find another Program that is more aligned to their needs and perspective.
Monetary rewards are variable and guided by Category and Tier as illustrated in the table below.
|Category||Tier 1||Tier 2||Tier 3||Tier 4|
|P1||Up to $5,000||Up to $2,500||Up to $1250||Up to $750|
|P2||Up to $2,500||Up to $1,250||Up to $750||Up to $500|
|P3||Up to $1,250||Up to $500||Up to $250||Up to $75|
|P4||Up to $250||Up to $125||Up to $75||--|
The following Tier segmentations provide a guideline for evaluating potential business risk and impact. These should help inform you, the researcher, of the value WHMCS places on your technical efforts within the scope of this Program. Besides these tier guidelines, exceptional findings and collaborations that do not easily fit the in the matrix may be rewarded uniquely.
- Unauthenticated and unaided
- Authenticated as Client user
- Authenticated Admin user without permissions attributed to the "Full Admin" default role
- Authenticated API user
- Authenticated Admin user with permissions attributed to the "Full Admin" default role
The matrix above is based on one single request. Any reproduction steps that require multiple attack requests, staged/stored content, broken configurations, or multiple sources of authority/authorization (ie second order, multi-user, illogical permission sets) can expect to receive no more than half of the guideline reward.
Any payout is at the discretion of the WHMCS Security Team. Any disagreement about the assessment of category, tier, or payout should be discussed in the report and with email@example.com.