IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cloudflare opens $3,000 bug bounty program to the public

The company's previous program paid out around $212,000 over its lifetime

Data

Cloudflare, a provider of web infrastructure and security services, has announced the launch of its public bug bounty program.

Bug hunters and security researchers can now report vulnerabilities found in Cloudflare products as part of the company's latest program, which is hosted on HackerOne.

A private bounty program was previously launched in 2018, following a vulnerability disclosure program in 2014. The company paid $211,512 in bounties during the lifetime of this program, with 292 out of the 430 reports receiving a reward.

Rewards for Cloudflare's latest program vary with the severity of the vulnerability. Each security flaw is assigned a severity rating based on the Common Vulnerability Scoring Standard (CVSS) version 3.

There is a $3,000 payment for a critical vulnerability report, while high, medium, and low vulnerabilities are worth $1,000, $500, and $250, respectively. However, rewards vary for secondary and other targets.

As a way to make vulnerability research easier, Cloudflare also developed a sandbox called CumulusFire, which provides a standardized playground for researchers to test their exploits. The sandbox will also assist Cloudflare’s security teams in reproducing potential exploits for analysis.

“CumulusFire has already helped us address the constant trickle of reports in which researchers would configure their origin server in an obviously insecure way, beyond default or expected settings, and then report that Cloudflare’s WAF does not block an attack. By policy, we will now only consider WAF bypasses a vulnerability if it is reproducible on CumulusFire,” explained Cloudflare.

A good place to start is to refer to the documentation on Cloudflare's developer and API portals, the Learning Center, and its support forums.

The firm also aims to add additional documentation, testing platforms, and a way for researchers to interact with its security teams to ensure submissions are valid.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022