Bug Bounty Program

Liquid Web continuously seeks to protect its hosting environment and offer the best service to its customers. We offer a bounty for reporting security vulnerabilities that substantially impact the integrity and confidentiality of user data in our hosting environment. To be eligible for the bounty, you must be the first to report and use the process outlined below. Liquid Web, in its sole discretion, shall determine whether or not to pay a reward and the amount of the reward.

If you believe you have found security vulnerability in Liquid Web’s hosting environment, please notify us at bugbounty@liquidweb.com and include detailed information as guided by the bulleted list below. When reporting, please respect our customers’ privacy and data.

  • The type of security vulnerability.
  • The product, control panel, or infrastructure that contains the security vulnerability.
  • The impact of the security vulnerability.
  • Step-by-step instructions to reproduce the issue.
  • Impact of the security vulnerability including how it can be exploited.
  • Mitigation of the vulnerability if available.

Once submitted, we will contact you to confirm receipt of your report. As we investigate the security vulnerability, we may also ask you for additional information. If you do not receive a response from us within 72 hours, please follow up to ensure we received your report.

Currently the following environments are considered in-scope.

  • liquidweb.com
  • www.liquidweb.com
  • api.liquidweb.com
  • cart.liquidweb.com
  • manage.liquidweb.com
  • login.liquidweb.com
  • *.ithemes.liquidweb.com
  • liquidweb mail servers (except *.liquidweb.services)
  • ns.liquidweb.com
  • ns1.liquidweb.com
  • Liquid Web’s Managed WordPress environment

Please note that at this time, these following items are not considered in-scope unless our implementation has resulted in data leakage or account takeover.

  • Third-party software such as Salesforce, Live Chat, or WordPress
  • Configuration and best practices such as SPF/DMARC, CORS, security headers, or insecure SSL/TLS ciphers
  • Denial of Service
  • Information disclosure such as file path, unless it can lead to sensitive info
  • Clickjacking that does not exist in our in-scope web pages
  • Email and account policies such as reset method and password complexity
  • Theoretical XSS or Self-XSS attacks without evidence of exploitability, such as input being reflected in response

Please contact us if you are unsure of the environment you are testing is in-scope, or anything that you find worth mentioning.

During the investigation into the security vulnerability, we ask that you maintain full confidentiality of the issues and not publicly discuss, imply, or hint at the existence of such vulnerability. Failure to maintain confidentiality will disqualify you from receiving any bounty and disqualify you from future submissions under this program.

Under no circumstances should your testing and reporting of a security vulnerability affect the availability of Liquid Web’s services, violate Liquid Web’s Terms of Service, or disrupt or compromise any data that is not your own. To be eligible for the program, you must not: (i) be a resident of or file a submission from a country against which the United States has issued export sanctions or other trade restrictions (e.g. Cuba, Iran, North Korea, Sudan and Syria), (ii) be employed by Liquid Web, or (iii) be an immediate family member of a person employed by Liquid Web.

We reserve the right to modify the terms of or cancel the program at any time. In addition, this program is void where prohibited by law.