WHMCS Client Management Portal

  • $75 – $5,000 per vulnerability
  • Partial safe harbor

Brief Updated. Note the OOS target list

Hello WHMCS researchers,

We have updated the brief to make it clearer what is in scope and out of scope for this program. Please review the Out of Scope target list again and ensure your testing complies with the program rules. Failure to adhere to the guidelines will warrant removal from all similar programs.

At a high level:

  • Live production instances of WHMCS and any server or service hosted by WHMCS including (but not limited to) whmcs.com, subdomains "*.whmcs.com", "whmcs.community", etc are out of scope.
  • All WHMCS mobile apps are out of scope.
  • Please do not target or submit reports for production websites operated by WHMCS.
  • You are only allowed to test on your own WHMCS instance that you set up yourself

Please re-review the bounty brief in detail and adjust your testing accordingly to make sure you are only testing and submitting in-scope bugs.

If you have any questions on the change in the scope, please reach out to support@bugcrowd.com.