Cloudflare appreciates the work of security researchers and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.
Cloudflare runs a private bug bounty program. If you submit a valid report on bounty-eligible assets through our disclosure program, we will transfer your report to our bug bounty program and invite you as a participant.
All Cloudflare products are in scope for reporting. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.
The following issues are considered out of scope:
Please be considerate when testing our infrastructure.
We consider WAF XSS bypasses an enhancement to our WAF product rather than bugs and will be closed out as Informational. Any XSS WAF bypass reported needs to be reproducible on our test site https://waf.cumulusfire.net/xss . You are free to use this site for testing.
If you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
Submitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all the information needed by Cloudflare.
In order for your submission to be eligible:
All legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.
As mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.
This program is not open to any individual on, or residing in any country on,
any U.S. sanctions lists.
The decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time. Cloudflare employees and their family members are not eligible for bounties.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time, but we won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Cloudflare employees and their family members are not eligible for bounties.
|Scope Type||Scope Name|
This program have been found on Hackerone on 2014-04-21.