Our Values
Cloudflare appreciates the work of security researchers and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.
Private Bug Bounty Program
Cloudflare runs a private bug bounty program. If you submit a valid report on bounty-eligible assets through our disclosure program, we will transfer your report to our bug bounty program and invite you as a participant.
Scope
All Cloudflare products are in scope for reporting. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.
Out of Scope
The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Unauthenticated logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Subdomain takeovers under
*.cdn.cloudflare.net
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Output from Automated Scanners without a PoC to demonstrate a specific vulnerability
- Lack of Secure or HTTP only flag on non-sensitive cookies
- Email configuration issues without a PoC to demonstrate a specific flaw
- Social engineering of Cloudflare employees, contractors, vendors, or service providers.
- Physical attacks against Cloudflare employees, offices, and data centers.
- Any Denial of Service attacks against Cloudflare and our products.
- Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities.
- Customer assets that use Cloudflare
- Cloudflare's China network
- Any 3rd party vendor that Cloudflare uses
- Attacks against the integrity of Cloudflare customers.
Guidelines for Testing
Please be considerate when testing our infrastructure.
- Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.
- Do not not send unsolicited bulk messages (spam) or unauthorized messages.
- Do not knowingly post, transmit, upload, link to, or send any malware.
- Do not attack Cloudflare customers, partners or suppliers.
- Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.
WAF Bypasses
We consider WAF bypasses an enhancement to our WAF product rather than bugs and will be closed out as Informational. Additionally, any XSS WAF bypass reported needs to be reproducible on our test site
https://waf.cumulusfire.net/xss. You are free to use this site for testing.
Reporting
If you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's
Vulnerability Disclosure Policy and HackerOne's
Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
Submitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all the information needed by Cloudflare.
- Affected target, feature, or URL:
- Description of problem:
- Impact of the issue:
- Steps to reproduce:
- Proof of Concept:
- Is knowledge of this issue currently public?
Eligibility and Disclosure
In order for your submission to be eligible:
All legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.
Privacy Policy, Restrictions and Taxes
As mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.
This program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.
The decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time. Cloudflare employees and their family members are not eligible for bounties.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time, but we won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Cloudflare employees and their family members are not eligible for bounties.
archived 1 Jan 2022 04:41:08 UTC
