cPanel Security Bounty Program

[Administrator]

In order to show its appreciation for security researchers who follow
responsible disclosure principles, cPanel, Inc. is offering a monetary reward
program for researchers who provide assistance with identifying and correcting
certain Qualifying Vulnerabilities within the scope of this program.

Software Covered by this Program
- ——————————–

* The cPanel & WHM and EasyApache software.
* Configuration, setup, and customizations of third-party applications performed
by the cPanel & WHM and EasyApache software.

Software not Covered by this Program
- ————————————

* Third-party applications and software (including those distributed with, used
by, or integrated into cPanel & WHM or EasyApache.)
* Vulnerabilities that exist in the operating system onto which cPanel & WHM is
installed.
* Vulnerabilities in software produced or maintained by companies owned by or
affiliated with cPanel. Vulnerabilities in this software should be reported to
these companies directly and are not within the scope of this bounty program.

Responsible Disclosure of Vulnerabilities in cPanel & WHM
- ———————————————————

To be eligible for a bounty under this program, you must be the first to report
a Qualifying Vulnerability within the scope of this program. You must also
adhere to cPanel’s Responsible Disclosure policy. This means:

* After discovering a vulnerability in the covered software, you must submit the
initial report to security@cpanel.net. Reports of vulnerabilities submitted
via other channels may not be considered eligible for any bounty reward.
* cPanel’s Security Team will evaluate your report to determine whether or not
it is a vulnerability in the covered software.
* cPanel’s Security Team may ask for additional clarification from the reporter,
assistance in replicating the vulnerability, or assistance in determining the
best course of action for mitigating the vulnerability. The reporter is
expected to provide timely responses to these inquiries.
* cPanel’s Security Team will implement fixes for the vulnerability, if
necessary.
* cPanel’s Security Team will distribute the fixes to customers.
* After sufficient time has passed for our customers to upgrade to fixed
versions of our software, cPanel will release a detailed disclosure statement
that explains the scope of the vulnerabilities that have been addressed.
* After the detailed disclosure has been released, cPanel will provide a reward
to the researchers who have maintained confidentiality with cPanel throughout
the process.
* cPanel will not discuss whether a vulnerability is within the scope of this
program or any payout terms before the full Responsible Disclosure process has
been completed.

Examples of Qualifying Vulnerabilities
- ————————————–

Any design or implementation issue within cPanel & WHM that substantially
affects the confidentiality or integrity of user data or the system is likely to
be within the scope of this program. Common examples include:

* Cross-Site Scripting
* Cross-Site Request Forgery
* Privilege escalation
* Authentication or Authorization flaws
* Information disclosure flaws that allow users with limited privileges to view
data they should not have access to
* SQL injection flaws that cross privilege boundaries

Examples of Non-Qualifying Vulnerabilities
- ——————————————

Although cPanel assesses each report on a case-by-case basis, some reports
simply do not qualify for reward. Common examples of reports that typically do
not qualify for reward include:

* Execution of code or JavaScript supplied in themes, translations, and
brandings that were installed by accounts with appropriate authorization.
* Local Denial of Service attacks. cPanel may consider vulnerabilities within
this category to merit a bounty if they allow users with very limited
privileges to disable services without sustained effort.
* Logout Cross-Site Request Forgery attacks.
* Flaws which require the use of out of date browsers, plugins, operating
systems, or other client-side applications.
* Flaws which exist only in unsupported versions of cPanel & WHM.
* Vulnerabilities that are only exploitable when security controls in the
software are intentionally disabled.
* Vulnerabilities that require physical access to the systems being attacked.
* Any actions performed intentionally by a user with proper authorization.
* Any vulnerabilities that require an element of social engineering to succeed.
* Aspects of the software that are not directly exploitable, but constitute
potential hardening measures. While we appreciate input about methods to
harden cPanel & WHM, such discussions are not within the scope of this
program.
* Behaviors or vulnerabilities within third-party software shipped with or used
by cPanel & WHM that has not been modified by cPanel.

Confidentiality During the Responsible Disclosure Process
- ———————————————————

cPanel strives to address vulnerabilities in a timely and responsible fashion in
order to protect our customers from unnecessary risk. We expect researchers to
share this goal and maintain full confidentiality of any vulnerabilities they
discover until these flaws are fully remediated and responsibly disclosed.
Failure to maintain confidentiality with cPanel regarding a vulnerability during
the full timeframe required for cPanel to evaluate, fix, and disclose the
vulnerability will be considered a breach of trust by the researcher and will
result in the loss of any bounty that would otherwise be due for the discovery
of the vulnerability.

cPanel considers ANY public discussion of a vulnerability, even hints at the
existence of such a vulnerability, to be a breach of these confidentiality
requirements. Further, sharing information regarding a vulnerability with any
third-parties during the time required for cPanel to address the vulnerability
will also be considered a breach. Failure to maintain confidentiality during the
resolution of a vulnerability will result in disqualification of the specific
vulnerability disclosed and may result in the reporter being barred from any
future rewards under this program.

Reward Eligibility
- ——————

Any tax consequences resulting from the payment of a reward are the recipient’s
sole responsibility. Depending on the recipient’s country of residency and
citizenship, additional restrictions (such as international and local laws) may
limit the ability of a reporter to receive a reward or impose additional
requirements on cPanel or the reporter. When direct payment is not possible or
desired, reporters of qualifying vulnerabilities will be given the option to
donate the bounty reward to a non-profit charity of their choosing from a list
of eligible charities provided by cPanel.

cPanel, in its sole discretion, shall determine the eligibility of all
submissions and amount of any final reward offered. Additionally, cPanel may
discontinue the reward program at any time with or without notice. cPanel, Inc.
staff and their family, friends, neighbors, associates, etc., are not eligible
to receive any rewards under this program.

In cases where multiple parties (including cPanel itself) independently discover
the same vulnerability, only the first party to discover the vulnerability will
be credited for the finding or awarded any bounty under this program.

cPanel likes to give public recognition to individuals and companies that assist
with fixing security vulnerabilities, but understands that some vulnerability
reporters do not desire public acknowledgement. If you desire to remain
anonymous, meaning no public mention of you or your company, please let us know.

For the PGP-signed message, see bounty-program.

View the full article