WHMCS Client Management Portal

  • $75 – $5,000 per vulnerability
  • Partial safe harbor

Important additions to the "Out of Scope list" on the WHMCS program

Effective immediately, any server or service hosted by WHMCS including (but not limited to) whmcs.com, subdomains "*.whmcs.com", "whmcs.community", etc is now out of scope.

Please do not target or submit reports for production websites operated by WHMCS.

The program is exclusively concerned with security research for the self-hosted WHMCS software.

Please re-review the bounty brief in detail and adjust your testing, and all scanners accordingly to make sure you are only testing and submitting in-scope bugs.

Any pending submissions submitted before the out of scope changes will be reviewed and processed accordingly.

If you have any questions on the change in the scope, please reach out to support@bugcrowd.com.