Reporting Vulnerabilities
A guide to informing LiteSpeed of potential security issues
How to Report a Security Issue
At LiteSpeed Technologies, we take security seriously. If you have uncovered a potential vulnerability in one of our websites or software products, please report your findings to This email address is being protected from spambots. You need JavaScript enabled to view it.. Such products include LiteSpeed Web Server, LiteSpeed Web ADC, OpenLiteSpeed and others.
Website Vulnerabilities
As far as our websites are concerned, the only vulnerability reports we will accept must be for issues that can affect one of the following:
- Remote Access
- Personal Information Leaks
- Elevated Privileges
All other types of potential vulnerabilities are considered out of scope. Please do not report these to LiteSpeed. Such out-of-scope vulnerabilities include the following:
- Social Engineering attacks
- Account enumeration using brute-force attacks
- Cross-Site Request Forgery
- Weak password policies and password complexity requirements
- Missing http security headers which do not lead to a vulnerability
- Reports from automated tools or scans
- Mail configuration issues including SPF, DKIM, DMARC settings
- Missing DNS records ( i.e. CAA )
- Accessing of default application files
- SSRF & DOS via files
- Clickjacking
Additionally, if you find a general vulnerability with any of the software we use, including Joomla!, WordPress, and WHMCS, the issue should be reported to the software's security team and not to LiteSpeed.
Note
We do not have an official bug bounty program. Financial compensation, if any, for reported vulnerabilities will be at our discretion alone.
Thank you for helping to keep LiteSpeed sites and products secure for all users!