Liquid Web Family of Brands Bug Bounty Program
Liquid Web continuously seeks to protect its hosting environment and offer the best service to its customers. We offer a bounty for reporting security vulnerabilities that substantially impact the integrity and confidentiality of user data in our hosting environment. We also encourage researchers to submit reports not explicitly outlined in out of scope environments below. Liquid Web, in its sole discretion, shall determine its eligibility, severity, and amount of the reward.
I. In Scope
Currently the following environments are considered in-scope. Any subdomain not specified below is strictly prohibited. A domain listed without a subdomain refers to the naked domain only, and not its subdomains, unless otherwise specified.
1 Liquid Web:
- applications hosted on Liquid Web’s GitHub
- Liquid Web email servers
- Liquid Web’s Managed WordPress environment
2 Nexcess and Interworx:
- Nexcess Cloud Managed Environment
- applications hosted on Nexcess’ GitHub
- Nodeworx and siteworx
3. Future Hosting:
- WordPress plugins and themes including and not limited to the following:
- iThemes Security Pro
- Kadence WP
- Restrict Content Pro
- iThemes Sync
5. The Events Calendar:
- Applications hosted on the-events-calendar's GitHub
- All WordPress plugins
- All WordPress plugins
7. StellarWP products and environments including but not limited to the following:
II. Out of Scope
Note that these following items will not be eligible for bounty unless our implementation has resulted in data leakage or account takeover. Generally anything out of Liquid Web’s control is out of scope, such as our Jira instance hosted on atlassian.net, but we will accept reports regarding our settings that resulted in leakage of sensitive information. Please contact us if you are unsure whether or not an environment is eligible.
This list will be updated from time to time, please review before your engagements.
- Third-party software such as Salesforce, Discourse, Happyfox, or WordPress core.
- High severity CVE’s within the last 6 months.
- 0day exploits unless the product is made by Liquid Web brands.
- Configuration and best practices such as SPF/DMARC, missing security headers including CSP, or insecure SSL/TLS ciphers that do not lead to an exploit.
- Information disclosure such as software version, file path, email or IP addresses.
- PoC that solely rely on DNS lookup or HTTP request from tools such as Burp collaborator or webhook.site.
- Lack of Secure/HTTPOnly flags and CSRF tokens on non-sensitive pages (anonymous form or logout page).
- Clickjacking that does not exist in our in-scope pages.
- Cross domain leakage.
- Open redirects, unless the impact is high.
- Email and account policies such as reset method and password complexity.
- Theoretical XSS or Self-XSS attacks without evidence of exploitability, such as input being reflected in response.
- Exploits that require physical access to victim’s device.
- Demo and testing sites.
The following are strictly prohibited:
- Do not leave any system in an unusable state. Simply leaving a text file to demonstrate you have access to the system is sufficient.
- Do not test any domain or subdomains not listed above unless authorized.
- Do not perform denial of service attacks including testing of rate limits and brute force.
- Do not perform physical attacks against our offices and data centers.
- Do not perform social engineering of our service desk, employees or contractors.
- Do not compromise our users and employee accounts, including interacting with accounts you do not own.
- Do not exfiltrate any data.
- Do not mass create accounts or services.
Automated scanning tools such as Burp, Zap, Nessus, OpenVAS etc. are allowed. However, we do not accept reports generated from scanning tools. Please also be mindful of denial of service when using those tools.
III. Submitting Reports
To submit a bug bounty report, please review the following information carefully, and send your report to firstname.lastname@example.org, including detailed information as guided by the bulleted list below. Only one vulnerability per submission. By submitting a report, you represent and warrant that the submission is original and have the right to its content. Please make sure to redact private and identifiable information such as credit card number, password, address etc.
- The type of security vulnerability in the subject.
- The in-scoped environment that contains the security vulnerability.
- The impact of the security vulnerability.
- Step-by-step textual instructions to reproduce the issue. Video only submission will not be considered.
- Mitigation of the vulnerability if available.
Once submitted, we will contact you to confirm receipt of your report. As we investigate the security vulnerability, we may also ask you for additional information. If you do not receive a response from us within 72 hours, please follow up to ensure we received your report. Once the vulnerability is confirmed, you will receive a bug bounty ID for reference.
During the investigation into the security vulnerability, we ask that you maintain full confidentiality of the issues and not publicly discuss, imply, or hint at the existence of such vulnerability. Failure to maintain confidentiality will disqualify you from receiving any bounty and disqualify you from future submissions under this program. To be eligible for reward, you must be the first person to disclose the vulnerability. You may publish your findings once the bug is confirmed and a solution is implemented, with Liquid Web’s information redacted.
Under no circumstances should your testing and reporting of a security vulnerability affect the availability of Liquid Web’s services, violate Liquid Web’s Terms of Service, or disrupt or compromise any data that is not your own. To be eligible for the program, you must not: (i) be a resident of or file a submission from a country against which the United States has issued export sanctions or other trade restrictions (e.g. Cuba, Iran, North Korea, Sudan and Syria), (ii) be employed by Liquid Web, or (iii) be an immediate family member of a person employed by Liquid Web.
Liquid Web reserves the right to modify the terms of or cancel the program at any time. In addition, this program is void where prohibited by law.