cPanel Security Bounty Program
Posted on December 9, 2013 by Lindsey
In order to show its appreciation for security researchers who follow responsible disclosure principles, cPanel, Inc. is offering a monetary reward program for researchers who provide assistance with identifying and correcting certain Qualifying Vulnerabilities within the scope of this program.
Software Covered by this Program
The cPanel & WHM and EasyApache software.
Configuration, setup, and customizations of third-party applications performed by the cPanel & WHM and EasyApache software.
Software not Covered by this Program
Third-party applications and software (including those distributed with, used by, or integrated into cPanel & WHM or EasyApache.)
Vulnerabilities that exist in the operating system onto which cPanel & WHM is installed.
Vulnerabilities in software produced or maintained by companies owned by or affiliated with cPanel. Vulnerabilities in this software should be reported to these companies directly and are not within the scope of this bounty program.
Responsible Disclosure of Vulnerabilities in cPanel & WHM
To be eligible for a bounty under this program, you must be the first to report a Qualifying Vulnerability within the scope of this program. You must also adhere to cPanel’s Responsible Disclosure policy. This means:
After discovering a vulnerability in the covered software, you must submit the initial report to [email protected]
. Reports of vulnerabilities submitted via other channels may not be considered eligible for any bounty reward.
cPanel’s Security Team will evaluate your report to determine whether or not it is a vulnerability in the covered software.
cPanel’s Security Team may ask for additional clarification from the reporter, assistance in replicating the vulnerability, or assistance in determining the best course of action for mitigating the vulnerability. The reporter is expected to provide timely responses to these inquiries.
cPanel’s Security Team will implement fixes for the vulnerability, if necessary.
cPanel’s Security Team will distribute the fixes to customers.
After sufficient time has passed for our customers to upgrade to fixed versions of our software, cPanel will release a detailed disclosure statement that explains the scope of the vulnerabilities that have been addressed.
After the detailed disclosure has been released, cPanel will provide a reward to the researchers who have maintained confidentiality with cPanel throughout the process.
cPanel will not discuss whether a vulnerability is within the scope of this program or any payout terms before the full Responsible Disclosure process has been completed.
Examples of Qualifying Vulnerabilities
Any design or implementation issue within cPanel & WHM that substantially affects the confidentiality or integrity of user data or the system is likely to be within the scope of this program. Common examples include:
Cross-Site Request Forgery
Authentication or Authorization flaws
Information disclosure flaws that allow users with limited privileges to view data they should not have access to
SQL injection flaws that cross privilege boundaries
Examples of Non-Qualifying Vulnerabilities
Although cPanel assesses each report on a case-by-case basis, some reports simply do not qualify for reward. Common examples of reports that typically do not qualify for reward include:
Local Denial of Service attacks. cPanel may consider vulnerabilities within this category to merit a bounty if they allow users with very limited privileges to disable services without sustained effort.
Logout Cross-Site Request Forgery attacks.
Flaws which require the use of out of date browsers, plugins, operating systems, or other client-side applications.
Flaws which exist only in unsupported versions of cPanel & WHM.
Vulnerabilities that are only exploitable when security controls in the software are intentionally disabled.
Vulnerabilities that require physical access to the systems being attacked.
Any actions performed intentionally by a user with proper authorization.
Any vulnerabilities that require an element of social engineering to succeed.
Aspects of the software that are not directly exploitable, but constitute potential hardening measures. While we appreciate input about methods to harden cPanel & WHM, such discussions are not within the scope of this program.
Behaviors or vulnerabilities within third-party software shipped with or used by cPanel & WHM that has not been modified by cPanel.
Confidentiality During the Responsible Disclosure Process
cPanel strives to address vulnerabilities in a timely and responsible fashion in order to protect our customers from unnecessary risk. We expect researchers to share this goal and maintain full confidentiality of any vulnerabilities they discover until these flaws are fully remediated and responsibly disclosed. Failure to maintain confidentiality with cPanel regarding a vulnerability during the full timeframe required for cPanel to evaluate, fix, and disclose the vulnerability will be considered a breach of trust by the researcher and will result in the loss of any bounty that would otherwise be due for the discovery of the vulnerability.
cPanel considers ANY public discussion of a vulnerability, even hints at the existence of such a vulnerability, to be a breach of these confidentiality requirements. Further, sharing information regarding a vulnerability with any third-parties during the time required for cPanel to address the vulnerability will also be considered a breach. Failure to maintain confidentiality during the resolution of a vulnerability will result in disqualification of the specific vulnerability disclosed and may result in the reporter being barred from any future rewards under this program.
Any tax consequences resulting from the payment of a reward are the recipient’s sole responsibility. Depending on the recipient’s country of residency and citizenship, additional restrictions (such as international and local laws) may limit the ability of a reporter to receive a reward or impose additional requirements on cPanel or the reporter. When direct payment is not possible or desired, reporters of qualifying vulnerabilities will be given the option to donate the bounty reward to a non-profit charity of their choosing from a list of eligible charities provided by cPanel.
cPanel, in its sole discretion, shall determine the eligibility of all submissions and amount of any final reward offered. Additionally, cPanel may discontinue the reward program at any time with or without notice. cPanel, Inc. staff and their family, friends, neighbors, associates, etc., are not eligible to receive any rewards under this program.
In cases where multiple parties (including cPanel itself) independently discover the same vulnerability, only the first party to discover the vulnerability will be credited for the finding or awarded any bounty under this program.
cPanel likes to give public recognition to individuals and companies that assist with fixing security vulnerabilities, but understands that some vulnerability reporters do not desire public acknowledgement. If you desire to remain anonymous, meaning no public mention of you or your company, please let us know.
For the PGP-signed message, see bounty-program.