Vulnerability Disclosure Program (VDP)

To help us track and resolve security issues efficiently, please use this form to report any vulnerabilities you discover.
Reports submitted via email will not be reviewed or responded to.

Your efforts are vital in helping us maintain and improve our security. Thank you for your contribution.

Note: According to Section 1.16 of HighLevel's Terms of Service, HighLevel does not offer a monetary reward for reported bugs.

Scope

.gohighlevel.com
.leadconnectorhq.com
Any Websites running on GHL servers

We typically use the CVSS calculator to determine severity.

The following areas are generally considered of Critical severity :

1)Remote Code Execution (RCE)
2)Mass Account Takeover
3)File system access

The following areas are generally considered to be High severity :

1)Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues
2)Stored Cross Site Scripting (XSS)
3)Cross-Site Request Forgery (CSRF) on user data
4)Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)

The following areas are generally considered to be Medium severity:

1)Vulnerabilities when uploading CSVs
2)User Enumeration
3)Lack of secure or HTTP-only flags on sensitive cookies

The following areas are generally considered to be Low severity:

1)Missing Cookie Flags on cookies
2)Vulnerable Software without proof of exploitation

The severity of any submitted vulnerability will be independently assessed and verified by the HighLevel Security Team.HighLevel doesn’t run a bug bounty program however appreciates your contribution for Critical and High severity issues in other possible ways.

Out-of-Scope Vulnerabilities

Clickjacking without impact
MTA-STS not configured
DNSSEC not enabled
Broken links
Reverse tabnabbing
Missing security headers without impact
Misconfigured or missing SPF/DKIM/BIMI records
Missing cross-domain policy file
Publicly available information
Rate limiting issues without demonstrated abuse
Autocomplete enabled on non-sensitive input fields
Version disclosure (e.g., server/software versions in headers)
Use of third-party libraries with no proven exploit path
Cache-control headers missing (without sensitive data exposure)
OPTIONS or TRACE HTTP methods enabled (without abuse)
Stack traces or error messages without sensitive information
Non-exploitable CORS misconfigurations
Missing or invalid robots.txt or sitemap.xml
All forms of Denial of Service are out-of-scope.
Social engineering (e.g. phishing, vishing, smishing)(It is prohibited).
Lack of Content Security Policy (CSP) without actual exploit
Missing HttpOnly/Secure flags on non-sensitive cookies
Host header injection without security impact
Lack of MFA as a general recommendation
Deprecated or insecure HTML/JS usage without exploitation
UI/UX issues labeled as security (e.g., color contrast, minor layout bugs)

Full Name *

Email *

Vulnerability Type *

If "Other", please specifiy

Affected Domain(s) *

Affected URL *

Description of Vulnerability *

Severity (CVSS String) *

Steps to Reproduce *

Proof of Concept (PoC) Photo

Suggested Remediation *