Cloudflare Public Bug Bounty
Cloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.
For research into our products, good starting points include our Developer documentation, API documentation, the Learning Center, and any material on the Cloudflare support forums.
Cloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.
Please note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.
| Severity | Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |
| --- | --- | --- | --- | --- |
| Primary Targets | $3,000 | $1,000 | $500 | $250 |
| Secondary Targets | $2,700 | $750 | $350 | $200 |
|Other | $2,100 | $500 | $200 | $100 |
Note: WAF Bypasses may be awarded up to $50 at the program's discretion.
First Response: 2 days
Time to Triage: 2 days
Time to Bounty: 10 days
Time to Resolution: depends on severity and complexity
If your report is the product of collaboration, please add your collaborators before a bounty is awarded. Let us know here if you have questions!
By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.
Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.
Once you find a vulnerability, report it and reach out to us before pivoting
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.
Do not store any Cloudflare IP or PII information once the report is submitted
Please see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.
Products listed under the Cloudflare Products tab on our website are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:
1.1.1.1/WARP Android and iOS apps
AMP Real URL
CDNJS
Cloudflare Marketplace (platform only)*
*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.
dash.cloudflare.com
APIs listed on api.cloudflare.com
*.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)
Open source products created by Cloudflare (github.com/cloudflare)
Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)
Cloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as Not Applicable:
The entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.
(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)
A vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.
Any form of social engineering attack will be considered out of scope. For example:
Pre-authenticated Clickjacking
Phishing
Impersonating Cloudflare in emails
Convincing customer support to do something on behalf of another user
We consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.
We consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.
We will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion.
The following issues are considered out of scope:
Clickjacking on pages with no sensitive actions.
Unauthenticated logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Subdomain takeovers under *.cdn.cloudflare.net
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.
Lack of Secure or HTTP only flag on non-sensitive cookies.
Email configuration issues without a PoC to demonstrate a specific flaw.
Broken links without demonstrating an attack
Note: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.
Note: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.
Any of the activities below will result in disqualification from the program permanently:
Social engineering of Cloudflare employees, contractors, vendors, or service providers.
Physical attacks against Cloudflare employees, offices, and data centers.
Any Denial of Service attacks against Cloudflare and our products.
Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities.
Attempts to access/compromise customer assets that use Cloudflare.
Attempts to access/compromise Cloudflare's China network.
Attempts to access/compromise any 3rd party vendor that Cloudflare uses.
Attacks against the integrity of Cloudflare customers.
Please be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.
Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.
Do not send unsolicited bulk messages (spam) or unauthorized messages.
Do not knowingly post, transmit, upload, link to, or send any malware.
Do not attack Cloudflare customers, partners or suppliers.
Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.
If you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
Submitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.
Affected target, feature, or URL:
Description of problem:
Impact of the issue:
Steps to reproduce:
Proof of Concept:
Is knowledge of this issue currently public?
In order for your submission to be eligible:
You must agree to this policy.
You must be the first person to responsibly disclose an unknown issue.
Follow the testing guidelines set above.
All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.
All legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.
We permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:
Data regarding any Cloudflare customer instances
Cloudflare customers' data
information about Cloudflare employees, contractors or partners
Cloudflare maintains both a privacy policy and transparency report.
As mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.
This program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.
The decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.
| Scope Type | Scope Name |
|---|---|
| other | Cloudflare Pages |
| other | Magic Transit |
| other | Argo Tunnel |
| other | Spectrum |
| other | Load Balancing |
| other | Bot Management |
| other | Cloudflare for teams |
| other | Open source tools from Cloudflare |
| other | CDNJS |
| other | WARP Mobile Apps |
| other | Cloudflare Access |
| other | Stream |
| other | Cloudflare D1 |
| other | Cloudflare R2 |
| web_application | dash.cloudflare.com |
| web_application | *.cloudflare.com |
| web_application | api.cloudflare.com |
| web_application | cloudflare.com/apps/ |
| web_application | cloudflareworkers.com |
| web_application | *.teams.cloudflare.com |
| web_application | 1.1.1.1 Resolver |
| web_application | github.com/cloudflare |
| Scope Type | Scope Name |
|---|---|
| other | Area 1 |
| web_application | support.cloudflare.com |
This program have been found on Hackerone on 2014-04-21.
FireBounty © 2015-2024
