Our Values

Cloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.

If you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

What we expect from you

By participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's Disclosure Guidelines. Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.

Program Rules

• You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.
• All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.
  • Accounts should be created with a @wearehackerone.com email address.
• Do not perform tests against customers of Cloudflare.
• Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.
• Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.
• Do not send unsolicited bulk messages (spam) or unauthorized messages.
• Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.
• If your report is the product of collaboration, please add your collaborators before the bounty is awarded.

Any of the activities below will result in disqualification from the program permanently:

• Testing against Cloudflare customers, partners, service providers, suppliers, or vendors
• Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user
• Physical attacks against Cloudflare employees/contractors, offices, or data centers
• Executing Denial of Service attacks against Cloudflare

Leaked credentials

Cloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.

Submitting a report

When submitting a report, we expect that researchers:

• Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.
  • Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.
  • Example: "invite an attacker account into your organization".
• Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.
• Please avoid salami-style reporting of multiple reports. If you identify the same vulnerability on a subset of our products or multiple similar vulnerabilities on the same products, please submit one holistic report.
• Do not store any Cloudflare IP or PII information once the report is submitted.

Submitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.

• Affected target, feature, or URL
• Description of a problem
• Impact of an issue
• Steps to reproduce or Proof of Concept
• Is knowledge of this issue currently public?

What you can expect from us

Handling of reports

Cloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.

Rewards

When duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.

Mergers and acquisitions

We encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.

Big Bonanza

We're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.

As a member of the VIP program, you’ll unlock:

✨ Access to enterprise features! ✨ Exclusive access to test our cutting-edge Beta products ✨ Opportunity to participate in special bug bounty campaigns ✨ Higher bounty payouts and more!

Join our VIP program and take your bug hunting to the next level!

Disclosure

Cloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.

Cloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).

For some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.

Often we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)

At the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.

We have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.

Privacy Policy, Restrictions and Taxes

Cloudflare maintains both a privacy policy and transparency report. As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards.

This program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.

The decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.

Mediation

Cloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. Please refer to https://docs.hackerone.com/en/articles/8466617-hacker-mediation for when and how to request mediation from HackerOne.

If you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via [email protected].