Whmcs Blog post


Active Member
Verified Provider
Seems they are making some progress:

Over the last few months, WHMCS has released an unusually high number of security related updates - more than we would have liked or than you would have expected.

We understand the inconvenience that these cause, and their severity.

We have tasked several staff members with doing an internal code audit which is now well underway, and they have already identified a number of items which were addressed in the last release. We plan to continue our internal audit and release further updates as required.

We will also be commissioning at least one additional external security audit, and introducing a Security Bounty Program. External security audits are not something that are new to us, however as a security audit alone is not a guaranteed solution, we will be increasing the frequency of both internal and independent external security audits being performed.

As mentioned above, we will also be launching a Security Bounty Program designed to reward those who find issues in our software and report them to us in a responsible and safe manner. In order to encourage this we will be offering free development licenses to security researchers and monetary rewards of up to $5000 per issue. Further details will be released about this in the near future.

These steps are just the start of our overall plans to proactively address your concerns. As we move forward additional announcements will be made.

We appreciate the trust that you put in us, and we intend to make sure that trust is not misplaced.
Last edited by a moderator:


Well-Known Member
Verified Provider
Good. I'm still holding on to my Blesta license just in case but now I'm dedicating my time to other projects and can stop working on our Blesta migration. :)
Last edited by a moderator:


New Member
The thing is, even though they will get tons of audits, I doubt honestly that anything will change.

They can get the audit, told the solution to fix it, etc. but I doubt they will add it in, knowing WHMCS.