Your Digital Commerce Experts

Bug Bounty

Liquid Web continuously seeks to protect its hosting environment and offer the best service to its customers. We offer a bounty for reporting security vulnerabilities that substantially impact the integrity and confidentiality of user data in our hosting environment. To be eligible for the bounty, you must be the first to report and use the process outlined below. Liquid Web, in its sole discretion, shall determine whether or not to pay a reward and the amount of the reward.

If you believe you have found a security vulnerability impacting an in-scope target (see scope list below), please notify us at When reporting, please respect our customers’ privacy and data. Please include detailed information as guided by the bulleted list below. 

  • The type of security vulnerability.
  • The product, control panel, or infrastructure that contains the security vulnerability.
  • The impact of the security vulnerability.
  • Step-by-step instructions to reproduce the issue.
  • Impact of the security vulnerability including how it can be exploited.
  • Mitigation of the vulnerability if available.

Once submitted, we will contact you to confirm receipt of your report. As we investigate the security vulnerability, we may also ask you for additional information. For the scope listed on this page, the Nexcess security team has 30 days to respond to the report, and up to 90 days to implement a fix based on the severity of the report.

During the investigation into the security vulnerability, we ask that you maintain full confidentiality of the issues and not publicly discuss, imply, or hint at the existence of such vulnerability. Failure to maintain confidentiality will disqualify you from receiving any bounty and disqualify you from future submissions under this program.


At this time, the scope of this program is limited to security vulnerabilities found on Nexcess' website and Nexcess' CRM sites. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.

Currently the following environments are considered in-scope.

Please note that at this time, these following items are not considered in-scope:

The following are strictly prohibited:

  • Denial of Service attacks.
  • Physical attacks against offices and data centers.
  • Social engineering of our service desk, employees or contractors.
  • Compromise of a Nexcess users or employees account.
  • Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated
  • Exploitation or use of a tool that generates a significant volume of traffic
  • Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.
  • Please do not mass create accounts to perform testing against Nexcess applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.

The following vulnerabilities are out of scope and will not be considered for bounty:

  • Denial of Service
  • Cross site request forgery (CSRF)
  • Cross domain leakage
  • Information disclosure
  • Software version disclosure
  • XSS attacks via POST or headers