Cloudinary is a SaaS/API provider that streamlines a website's entire image management pipeline. Cloudinary strives to be the standard for online images acquisition, manipulation and delivery.
Using Cloudinary you can easily move all your website’s images and other assets to the cloud. Automatically perform smart image resizing, cropping, merging, overlay, watermark, apply effects, rotations and perform format conversions. All this without installing any complex software. Integrate Facebook, Twitter, Google+ and Gravatar profile image extraction in a snap, fetch images from any online resource in any dimension and style to match your website’s graphics requirements, and much more. Simply put, if you have images in your web or mobile app, let Cloudinary manage them for you.
Cloudinary offers comprehensive APIs and administration capabilities and is easy to integrate with any web application. To simplify integration further we also have client libraries for Ruby on Rails, Python/Django, PHP, .NET, Node.js and more. In addition, alternative integration methods allow non- developers, bloggers and website administrators to enjoy Cloudinary with nearly zero code changes.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
We are particularly interested and will consider extraordinary submissions around:
Last updated 17 Apr 2019 17:59:07 UTC
Technical severity | Reward range
p1 Critical | $1,000 - $2,500
p2 Severe | $300 - $1,000
p3 Moderate | $100 - $300
P4 are only eligible to receive kudos points. P5 submissions do not receive any rewards for this program.
Target name | Type
<https://cloudinary.com/console> | Website
<https://api.cloudinary.com> | API
<https://res.cloudinary.com> | API
widget.cloudinary.com | Website
Target name | Type
<https://support.cloudinary.com> | Website
wiki.cloudinary.com | Website
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Cloudinary not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
Please check out our full documentation for feature explanation, what's possible, and our API docs here: https://cloudinary.com/documentation
You must use your @bugcrowdninja email address to set up your Cloudinary
account. The main reason for doing so is that in case of need, our team will
know you’re from Bugcrowd and have no malicious intentions.
For more info regarding @bugcrowdninja email addresses, see here.
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via email@example.com before going any further.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.