follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel



« previous next »
Pages: [1]

Author Topic: WHMCS Bug Bounty  (Read 12859 times)

Angelina

  • Moderator
  • Experienced Member
  • *****
  • Posts: 357
    • View Profile
WHMCS Bug Bounty
« on: May 05, 2023, 05:54:37 pm »
submit bug report: http://whmcs.com

Policy

The target for this bounty is an all-in-one client management, billing & support solution intended primarily for web hosts, but also used by other types of online businesses.
Targets
The application scope for this test is:
The WHMCS software application.
Must be downloaded and properly installed on your own hosting environment.
Proper installation includes performing the Further Security Steps (http://docs.whmcs.com/Further_Security_Steps).
The WHMCS installation package includes a number of addons - Project Management Addon, Licensing Addon, Configurable Package Addon and Mobile Edition. This covers all PHP code included with the download of WHMCS.
Testing licenses are made available free of charge to BugCrowd security researchers. Keys issued for the purposes of security research and development are valid for a period of 90 days at a time, and must be installed either in a localhost environment or behind a password protected directory - never publicly accessible to the Internet.
To obtain a license, please email support@bugcrowd.com with the string "WHMCS installation code" in the email.
To be considered, submissions must work against an install that has had the Further Security Steps applied at installation. Details can be found here: http://docs.whmcs.com/Further_Security_Steps
The following are specifically excluded from scope and should not be tested:
Any hosted server at *.whmcs.com - Testing against live production instances is STRICTLY forbidden. Testing against systems hosted by WHMCS or their customers will result in a disqualification of your submission.
The WHMCS iPhone app
The WHMCS Android app
The WHMCS Windows Mobile app
The following finding types are specifically excluded from the bounty:
Descriptive error messages (e.g. Stack Traces, application or server errors).
Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
Self-XSS and issues exploitable only through Self-XSS.
CSRF on forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password
Policy: https://bugcrowd.com/whmcs
Domains
whmcs.com
Logged
Pages: [1]
« previous next »