Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Cloudflare Launches Public Bug Bounty Program

Web performance and security services provider Cloudflare this week announced that its bug bounty program is now open to all vulnerability hunters on HackerOne.

Web performance and security services provider Cloudflare this week announced that its bug bounty program is now open to all vulnerability hunters on HackerOne.

The company has had a private bounty program running on HackerOne since 2018, but created its responsible disclosure policy four years before that, to help security researchers submit vulnerability reports.

While there were no cash bounties offered as part of the vulnerability disclosure program, the private bug bounty program on HackerOne did reward eligible reports, and the web security platform considers it a success.

In 2018, after launching the program, the company paid $4,500 in bug bounty rewards, and the amount went up to $101,075 in 2021. To date, Cloudflare has handed out more than $210,000 in bug bounty payouts to the participating security researchers.

[READ: HackerOne Bags $49 Million in Series E Funding]

HackerOne community members interested in participating in Cloudflare’s program can earn as much as $3,000 for critical vulnerabilities discovered in primary targets. The maximum bounty amounts for critical flaws in secondary and other targets are $2,700 and $2,100, respectively.

Cloudflare products in scope of the program as primary targets include Stream, resolver, Android and iOS apps, Magic Transit, Cloudflare Pages, Cloudflare Workers, Argo/Argo tunnel, Spectrum, Load Balancing, AMP Real URL, CDNJS, Bot Management, Cloudflare Marketplace (platform only), WAF, and Cloudflare for Teams.

“We started the program [in 2018] by inviting a few researchers and slowly added more overtime. This helped us fine tune our policies and documentation and create a more scalable vulnerability management process internally,” the company says.

To help with the vulnerability hunting process, the company created CumulusFire, a website to showcase product features that are usually available to paying customers. The site not only allows researchers to test their exploits, but also helps the company’s security team reproduce them.

“Just as we grew our private program, we will continue to evolve our public bug bounty program to provide the best experience for researchers. We aim to add more documentation, testing platforms and a way to interact with our security teams so that researchers can be confident that their submissions represent valid security issues,” Cloudflare concludes.

Related: Facebook Will Reward Researchers for Reporting Scraping Bugs

Related: Google Triples Bounty for Linux Kernel Exploitation

Related: Researcher Awarded $10,000 for Google Cloud Platform Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.