Banner object (1)

4226 policies in database
  Back Link to program      
Cloudinary logo
Hall of Fame



Cloudinary is a SaaS/API provider that streamlines a website's entire image management pipeline. Cloudinary strives to be the standard for online images acquisition, manipulation and delivery.

Using Cloudinary you can easily move all your website’s images and other assets to the cloud. Automatically perform smart image resizing, cropping, merging, overlay, watermark, apply effects, rotations and perform format conversions. All this without installing any complex software. Integrate Facebook, Twitter, Google+ and Gravatar profile image extraction in a snap, fetch images from any online resource in any dimension and style to match your website’s graphics requirements, and much more. Simply put, if you have images in your web or mobile app, let Cloudinary manage them for you.

Cloudinary offers comprehensive APIs and administration capabilities and is easy to integrate with any web application. To simplify integration further we also have client libraries for Ruby on Rails, Python/Django, PHP, .NET, Node.js and more. In addition, alternative integration methods allow non- developers, bloggers and website administrators to enjoy Cloudinary with nearly zero code changes.

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

We are particularly interested and will consider extraordinary submissions around:

  • Major exposures around customer data leak
  • Issues that result in full compromise of a system (RCE, etc.)
  • Business logic bypasses resulting in significant impact
  • Major operational failure

Reward range

Last updated 16 Mar 2020 18:41:17 UTC

Technical severity | Reward range
p1 Critical | $500 - $1,500
p2 Severe | $300 - $500
p3 Moderate | Up to: $300

P4 are only eligible to receive kudos points. P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
<> | Website
<> | API
<> | API | Website

Out of scope

Target name | Type
<> | Website | Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Cloudinary not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.


Please check out our full documentation for feature explanation, what's possible, and our API docs here:


You must use your @bugcrowdninja email address to set up your Cloudinary account. The main reason for doing so is that in case of need, our team will know you’re from Bugcrowd and have no malicious intentions.
For more info regarding @bugcrowdninja email addresses, see here.

Focus Areas

  • (admin and upload apis)
  • (delivery CDN)
  • (upload widget UI)


  • Do not test UI widgets posting feedback (“Tell us what you think” form) to
  • Cloudinary has built-in functionality to fetch remote URLs to read remote files into the system, via fetch URL (, via the upload API's URL parameter ( and in other places in the API. This functionality as it's meant to be used will not be considered an SSRF vulnerability when allowing access to external servers, even though it might be used to anonymously scan other web servers for vulnerabilities or open ports other than common web ports. We will accept disclosures that show how this functionality is used to access internal networks or external services having significant security or DOS impact.
  • Support tickets (due to the load on our support teams, please DO NOT perform any testing on, or create any, support tickets)
  • Social engineering / phishing

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name




Out of Scope

Scope Type Scope Name


The progam has been crawled by Firebounty on 2019-05-17 and updated on 2020-04-23, 71 reports have been received so far.

FireBounty © 2015-2020

Legal notices