WHMCS Client Management Portal

  • $75 – $5,000 per vulnerability
  • Partial safe harbor

Program stats

  • Vulnerabilities rewarded 183
  • Validation within 6 days 75% of submissions are accepted or rejected within 6 days
  • Average payout $250 within the last 3 months

Latest hall of famers

Recently joined this program


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Note the targets of this program. You are only allowed to test on a WHMCS instance that you spin up and own.

Quick Overview

This bounty program is for the WHMCS product: an all-in-one client management, billing & support solution. The product is used primarily by web host companies but also other types of online businesses. It is a self-hosted PHP based application installed and managed by those companies (operator).

As a Researcher, you will be targeting your own deployment of the product. You will utilize your knowledge and skill to find security flaws in the implementation of the software, whose design is to provide automation around client management.

Reports will be reviewed and evaluated on an individual basis. You can expect valid security flaws to be rewarded based on both technical and business impact.

Make sure to read the entire Program Brief below to understand more about the scope, non-disclosure, and rewards. Researcher success is important to us and Bugcrowd so please reach out to support@bugcrowd.com if you need clarity or assistance.
Please do not target or submit reports for production websites operated by WHMCS. The program is exclusively concerned with security research for the self-hosted WHMCS software.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.