Cloudflare has announced the launch of a new public bug bounty program. Starting today, anyone who is into bug bounty can report security vulnerabilities found in Cloudflare products through this new public bug bounty program, hosted on the HackerOne platform.
Cloudflare began a vulnerability disclosure program back in 2014. Anyone could report potential vulnerabilities to Cloudflare’s security team. The company claims that it received 1,197 reports through this program but only 13% of them were valid. Then in 2018, the company launched a private bug bounty program.
The company also released a testing sandbox named CumlusFire. This platform offers a standardized playground where researchers can test their exploits. It also makes it easy for the Cloudflare team to reproduce the reported bugs while triaging.
Now researchers can join Cloudflare’s bug bounty program on HackerOne. The company has also provided more information about its products by offering Developer documentation, API documentation, the Learning Center, and a forum.
Here’s a reward list for different types of vulnerabilities.
| Severity | Critical (9.0 – 10.0) | High (7.0 – 8.9) | Medium (4.0 – 6.9) | Low (0.1 – 3.9) |
|---|---|---|---|---|
| Primary Targets | $3,000 | $1,000 | $500 | $250 |
| Secondary Targets | $2,700 | $750 | $350 | $200 |
| Other | $2,100 | $500 | $200 | $100 |
