This bounty program is for the WHMCS product: an all-in-one client management, billing & support solution. The product is used primarily by web host companies but also other types of online businesses. It is a self-hosted PHP based application installed and managed by those companies (operator).
As a Researcher you will be targeting your own deployment of the product. You will utilize your knowledge and skill to find security flaws in the implementation of the software, whose design is to provide automation around client management.
Reports will be reviewed and evaluated on an individual bases. You can expect valid security flaws to be rewarded base on both technical and business impact.
Make sure to read the entire Program Brief below to understand more about scope, non disclosure, and rewards. Researcher success is important to us and Bugcrowd so please reach out to firstname.lastname@example.org if you need clarity or assistance.
You will be researching WHMCS, a LAMP application. You will need to install and configure your own instance on your own infrastructure.
Testing against production instances is STRICTLY prohibited; See Targets below for more information.
WHMCS is licensed software. Testing licenses for WHMCS are made available free of charge to Bugcrowd security researchers. Keys issued for the purposes of security research and development are valid for a period of 90 days at a time, and must be installed either in a localhost environment or behind a password protected directory - never publicly accessible to the Internet.
To obtain a license, please email email@example.com with the string "WHMCS installation code" in the email. Once you have completed registration, you will be able to access your testing license and download the software from WHMCS directly.
Unauthenticated and client authenticated areas of WHMCS are the most valued focuses.
Authenticated admin area is also a good focus, however please keep in mind permissions granted to the "full admin" role, but not to others, implicitly defines super privileges. Features and input associated with super privileges may (by design) permit for stored markup or may be used in combination with other permissions to the detriment of a business and their clients.
Each report will be evaluated & variably rewarded based on both technical and business impact given the focus and trust outlined in the above paragraph. The reward structure is provided in the Reward section below. It is a good example of what researchers with valid reports can expect.
Below is a list of some of the vulnerability classes that we are seeking reports for:
- Server-side Remote Code Execution (RCE)
- SQL Injection (SQLi)
- Authentication Bypass
- Cross-site Request Forgery (CSRF)
- Cross-site Scripting (XSS)
Ensure you review the Targets and Rules & Limitations sections below for further details.
Beyond the list of Common "Non-qualifying" Submission Types itemized in the Standard Disclosure Terms , the following finding types are specifically excluded from the bounty and will not receive a monetary reward:
- General product bugs that do not have a security impact
- Miscalculation of payment, tax, or other bug related to improper billing for access to services.
- License circumvention by means of deobfuscation, core code replacement, other means for product mutation.
- Self-XSS and issues exploitable only through Self-XSS.
- Stored XSS created by Admin (whose privileges allow content creation for use by lesser or equally privileged admins, clients, or site visitors).
- CSRF on forms that are available to anonymous users or for customization (i.e. the contact form, login form, etc).
- SSRF by Admin with privilege to access or manage 1) remote servers/3rd-party integrations and/or B) configurations within WHMCS for servers or integrations.
- Exploits requiring control of servers configured in (and implicitly under the automation authority of) the WHMCS instance.
- Presence of application or web browser ‘autocomplete’ or ‘save password’
- Impact from third-party code that augments core functionality (i.e, hooks, modules)
- Any flaw requiring access to, or execution of, files or routines of the manual installer/updater.
- Disclosure of access credentials for remote systems to Admins authorized to access respective system.
WHMCS application, hosted by the researcher in a non-public environment.
Out of Scope
The following are specifically excluded from scope and should not be tested:
- Any hosted server at *.whmcs.com
- Live production instances of the WHMCS product: Testing against live production instances is STRICTLY forbidden.
- Testing against systems hosted by WHMCS or their customers will result in a disqualification of your submission.
- Not only is testing against production systems disruptive for operators but also problematic from a research standpoint. Observed flawed behavior of a production system outside your control might be due to issues not related to the product and thus not reproducible (and thus not eligible for reward).
- The WHMCS iPhone app
- The WHMCS Android app
- The WHMCS Windows Mobile app
- Any distributed dependency of the WHMCS application including such as PHP & JS packages/libraries not authored by WHMCS.
- External services provided by WHMCS utilized by the WHMCS application
- Server environment context or behaviors, such as the LAMP stack, OpenSSL or cURL libraries, etc.
Rules & Limitations
To be considered valid, submissions must at a minimum describe a security flaw within the WHMCS codebase.
Attack vectors or information required to leveraging a security flaw must be possible despite the Further Security Steps recommendation provided to all WHMCS customers. Details can be found here: http://docs.whmcs.com/Further_Security_Steps. Any report which cannot be reproduced in an environment that has followed the Further Security Steps will be considered invalid.
You will qualify for a monetary reward if you are
the first person to alert the program owner to a previously unknown issue in the current Active Development version of WHMCS
and the issue triggers a code or configuration change.
You can find more details about how rewards work in the Bugcrowd Standard Disclosure Terms.
Any retaliatory remarks will be reported to Bugcrowd for review and assessment against the Code of Conduct which may result in consequences as outlined in the aforementioned document.
Furthermore, any retaliatory actions or harm to WHMCS or its customers resulting from behavior expressly forbidden within the Bugcrowd Platform or this Program will be reported to WHMCS legal counsel pursuant of damages.
Please Note: This program does **not allow* disclosure. You may not release information about vulnerabilities found in this program to the public*.
If a researcher wants to retain disclosure rights, they may put forth a proposal that will be considered under the most extreme and convincing circumstances.
In summary: all submissions made through the Bugcrowd platform, rewarded or not, including Duplicates, Out of Scope, and Not Applicable submissions, are not to be disclosure at any level of detail to the public at any time unless guided by WHMCS following explicit, written permission.
If this is unacceptable, we humbly request researchers find another Program that is more aligned to their needs and perspective.
Monetary rewards are variable and guided by Category and Tier as illustrated in the table below.
|Category||Tier 1||Tier 2||Tier 3||Tier 4|
|P1||Up to $5,000||Up to $2,500||Up to $1250||Up to $750|
|P2||Up to $2,500||Up to $1,250||Up to $750||Up to $500|
|P3||Up to $1,250||Up to $500||Up to $250||Up to $75|
|P4||Up to $250||Up to $125||Up to $75||--|
The follow Tier segmentations provide a guideline for evaluating potential business risk and impact. These should help inform you, the researcher, of the value WHMCS places on your technical efforts within the scope of this Program. Besides these tier guidelines, exceptionally findings and collaborations that do not easily fit the in matrix may be rewarded uniquely.
Unauthenticated and unaided
- Authenticated as Client user
- Authenticated Admin user without permissions attributed to the "Full Admin" default role
- Authenticated API user
- Authenticated Admin user with permissions attributed to the "Full Admin" default role
The matrix above is based on one single request. Any reproduction steps that requires multiple attack requests, staged/stored content, broken configurations, or multiple sources of authority/authorization (ie second order, multi-user, illogical permission sets) can expect to receive no more that half of the guideline reward.
Any payout is at the discretion of the WHMCS Security Team. Any disagreement about assessment of category, tier, or payout should be discussed in the report and with firstname.lastname@example.org.