Home Features Pricing
Resources
Documentation Blog Support How It Works Roadmap Feature Requests Verify License
Company 🟢 Live Demo
Free Trial Get License
Security Program

Bug Bounty Program

Help us keep HPanel secure. Find vulnerabilities, report responsibly, and earn your place in our Hall of Fame.

Active
Program Status
Hall of Fame
Reward Type
< 48h
Response Time
6
Assets in Scope

Program Scope

What you can and cannot test

In Scope

  • HPanel User Panel (*:2053)
  • HPanel Admin Panel (*:2057)
  • HPanel Webmail (*:2059)
  • HPanel REST API (/api/*)
  • HPanel Website (hpanel.net)
  • WHMCS Module integration endpoints

Out of Scope

  • Third-party services (Cloudflare, DNS providers)
  • Other customers' HPanel installations
  • Physical attacks or social engineering
  • Denial of Service (DoS/DDoS) attacks
  • Brute force attacks on login endpoints
  • Self-XSS or unlikely user interaction
  • Missing headers without demonstrable exploit

Severity Levels

How we classify reported vulnerabilities

Critical

RCE, Auth Bypass, SQL Injection, Privilege Escalation to Root

High

Stored XSS, IDOR, Account Takeover, API Key Leakage

Medium

CSRF, Information Disclosure, Session Fixation

Low

Reflected XSS, Verbose Errors, Missing Rate Limiting

How to Report

Submit your findings with a valid Proof of Concept

Report Must Include

  • Description — Clear explanation of the vulnerability
  • Steps to Reproduce — Detailed step-by-step instructions
  • Proof of Concept — Screenshots, video, or exploit code
  • Impact — What an attacker could achieve
  • Affected Endpoint — Exact URL or API route
  • Your Name & Country — For Hall of Fame listing

Response Timeline

Acknowledgment
We confirm receipt of your report
Within 48 hours
Triage & Validation
We reproduce and assess severity
5 business days
Status Update
We share our findings with you
10 business days
Fix Deployed
Patch released based on severity
7–30 days
Hall of Fame
Your name added after fix ships
After deployment

Rules of Engagement

Follow these rules to participate responsibly

Do

  • Test only against your own accounts
  • Use a free trial for testing
  • Provide clear PoC with every report
  • Give us 90 days before public disclosure
  • Report one vulnerability per submission

Don't

  • Access or modify other users' data
  • Perform DoS/DDoS attacks
  • Use automated scanners with heavy traffic
  • Publicly disclose before we fix it
  • Chain unrelated issues in one report

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized, helpful, and protected. We will not pursue legal action against researchers who follow these rules.

🏆 Hall of Fame

Security researchers who helped make HPanel safer

No entries yet

Be the first to find a vulnerability and earn your spot here.

Found a Vulnerability?

Help us improve HPanel security — report responsibly and get recognized.

security@hpanel.net

Subject: [Bug Bounty] [Severity] — Brief Description