Web performance and security services provider Cloudflare this week announced that its bug bounty program is now open to all vulnerability hunters on HackerOne.
The company has had a private bounty program running on HackerOne since 2018, but created its responsible disclosure policy four years before that, to help security researchers submit vulnerability reports.
While there were no cash bounties offered as part of the vulnerability disclosure program, the private bug bounty program on HackerOne did reward eligible reports, and the web security platform considers it a success.
In 2018, after launching the program, the company paid $4,500 in bug bounty rewards, and the amount went up to $101,075 in 2021. To date, Cloudflare has handed out more than $210,000 in bug bounty payouts to the participating security researchers.
HackerOne community members interested in participating in Cloudflare’s program can earn as much as $3,000 for critical vulnerabilities discovered in primary targets. The maximum bounty amounts for critical flaws in secondary and other targets are $2,700 and $2,100, respectively.
Cloudflare products in scope of the program as primary targets include Stream, 18.104.22.168 resolver, 22.214.171.124/WARP Android and iOS apps, Magic Transit, Cloudflare Pages, Cloudflare Workers, Argo/Argo tunnel, Spectrum, Load Balancing, AMP Real URL, CDNJS, Bot Management, Cloudflare Marketplace (platform only), WAF, and Cloudflare for Teams.
“We started the program [in 2018] by inviting a few researchers and slowly added more overtime. This helped us fine tune our policies and documentation and create a more scalable vulnerability management process internally,” the company says.
To help with the vulnerability hunting process, the company created CumulusFire, a website to showcase product features that are usually available to paying customers. The site not only allows researchers to test their exploits, but also helps the company’s security team reproduce them.
“Just as we grew our private program, we will continue to evolve our public bug bounty program to provide the best experience for researchers. We aim to add more documentation, testing platforms and a way to interact with our security teams so that researchers can be confident that their submissions represent valid security issues,” Cloudflare concludes.