Bug Bounty Program

Our bug and security vulnerability reporting program is operated through OpenBugBounty.org

We value a complete report with full technical details. We must be able to reproduce the vulnerability and clearly demonstrate that it both exists and represents a weakness in our systems.

While we appreciate all types of reports, there needs to be at least one of the following in order to receive a reward:

1. A demonstrable data leak of our data or our customer data which should not be publicly accessible
2. Sufficient evidence that the weakness can be exploited to sufficiently detrimental effect to cause obvious problems with our systems.

Examples: simply allowing xml-rpc in WordPress is not a vulnerability unless you can prove that our firewalls are not effectively blocking bruteforce or DoS attacks against it, or that private data can be leaked using it. Usernames in WordPress are not considered private data as they are visible on post pages throughout the site.

If you find a leak in data that belongs to third party vendors like WHMCS or Plesk, we’ll expect you to responsibly report it to the owner of that data.

Testing Requirements:

Ensure that any vulnerability scanners are rate-limited. Please ensure to provide complete steps to reproduce and details on why you believe it to be a vulnerability.

Please do not submit lazy reports, like “your server says it uses this library which is old!” as many libraries either receive backports while keeping their older version number OR have no known vulnerabilities. You must successfully reproduce an attack on that library that satisfies our “General Requirements” for your report to be accepted.

Possible Awards:

Kudos is always guaranteed. Monetary rewards range from $50.00 to $2,000.00 depending on the type and severity of the vulnerability being reported. (Canadian Dollars)

Rewards can be paid out only via PayPal.

Exclusions / Exceptions

  • Plesk: If you have found a bug in Plesk Control Panel that can only be repaired by modifying the code, and not a web server configuration, you will need to submit it to the Plesk security team at security [@] plesk.com
  • WHMCS: If you have found a bug in the software at clients.websavers.ca that can only be repaired by modifying the code, and not a web server configuration, you will need to submit it to the WHMCS bug bounty program described here: https://www.whmcs.com/security-bounty-program/
  • Known issues or previously reported vulnerabilities
  • Security vulnerabilities in an underlying, yet supported, operating system that do not yet have a known patch

How to submit for a bounty

Our bug and security vulnerability reporting program is operated through OpenBugBounty.org – details on how to submit the report can be found there.