Banner object (1)

Hack and Take the Cash !

751 bounties in database
Cloudflare logo


Cloudflare Vulnerability Disclosure Policy

We take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your effort to make the Internet a better place.

If you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.

Submitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a "proof of concept" that allows us to reproduce the issue.

Very low quality reports such as those which only contain automated output will be rejected.

DO NOT submit the following as they will also be rejected:

  • Missing Best Practice, Configuration or Policy Suggestions
  • Output from Automated Scanners without a PoC to demonstrate a specific vulnerability
  • Any domains other than *
  • Logout Cross Site Request Forgery
  • Lack of Secure or HTTP only flag on non-sensitive cookies
  • Email configuration issues without a PoC to demonstrate a specific flaw


Any web properties owned by Cloudflare are in scope for the program.

  • *

Customers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.

Customers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.

Finally, If you are a customer and have a password or account issue, please contact Cloudflare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.

Recommended Report Format

Please address the following bits of information in your report. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all information needed by Cloudflare.

  • Affected target, feature, or URL:
  • Description of problem:
  • Impact of the issue:
  • Steps to reproduce:
  • Proof of Concept:
  • Is knowledge of this issue currently public?

Eligibility and Disclosure

In order for your submission to be eligible:

  • You must agree to our Vulnerability Disclosure Policy.
  • You must be the first person to responsibly disclose an unknown issue.

All legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.

Guidelines for testing

Please be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare bugbounty program.

  • Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.

  • Do not not send unsolicited bulk messages (spam) or unauthorized messages.

  • Do not knowingly post, transmit, upload, link to, or send any malware.
  • Do not attack Cloudflare customers, partners or suppliers.

Additionally, the following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.

  • Social engineering of Cloudflare employees, contractors, vendors, or service providers.
  • Physical attacks against Cloudflare employees, offices, and data centers.
  • Any vulnerability obtained through the compromise of a Cloudflare customer or employee accounts. If you need to test a vulnerability, please create a free account.
  • Being an individual on, or residing in any country on, any U.S. sanctions lists.

Privacy Policy, Restrictions and Taxes

Cloudflare's privacy policy can be found here: __
Cloudflare 's transparency report can be found here: __

As mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.
This program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.
The decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019