Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Cloudflare Launches Public Bug Bounty Program

Web performance and security services provider Cloudflare this week announced that its bug bounty program is now open to all vulnerability hunters on HackerOne.

Web performance and security services provider Cloudflare this week announced that its bug bounty program is now open to all vulnerability hunters on HackerOne.

The company has had a private bounty program running on HackerOne since 2018, but created its responsible disclosure policy four years before that, to help security researchers submit vulnerability reports.

While there were no cash bounties offered as part of the vulnerability disclosure program, the private bug bounty program on HackerOne did reward eligible reports, and the web security platform considers it a success.

In 2018, after launching the program, the company paid $4,500 in bug bounty rewards, and the amount went up to $101,075 in 2021. To date, Cloudflare has handed out more than $210,000 in bug bounty payouts to the participating security researchers.

[READ: HackerOne Bags $49 Million in Series E Funding]

HackerOne community members interested in participating in Cloudflare’s program can earn as much as $3,000 for critical vulnerabilities discovered in primary targets. The maximum bounty amounts for critical flaws in secondary and other targets are $2,700 and $2,100, respectively.

Cloudflare products in scope of the program as primary targets include Stream, resolver, Android and iOS apps, Magic Transit, Cloudflare Pages, Cloudflare Workers, Argo/Argo tunnel, Spectrum, Load Balancing, AMP Real URL, CDNJS, Bot Management, Cloudflare Marketplace (platform only), WAF, and Cloudflare for Teams.

“We started the program [in 2018] by inviting a few researchers and slowly added more overtime. This helped us fine tune our policies and documentation and create a more scalable vulnerability management process internally,” the company says.

To help with the vulnerability hunting process, the company created CumulusFire, a website to showcase product features that are usually available to paying customers. The site not only allows researchers to test their exploits, but also helps the company’s security team reproduce them.

“Just as we grew our private program, we will continue to evolve our public bug bounty program to provide the best experience for researchers. We aim to add more documentation, testing platforms and a way to interact with our security teams so that researchers can be confident that their submissions represent valid security issues,” Cloudflare concludes.

Related: Facebook Will Reward Researchers for Reporting Scraping Bugs

Related: Google Triples Bounty for Linux Kernel Exploitation

Related: Researcher Awarded $10,000 for Google Cloud Platform Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.