Cloudflare opens $3,000 bug bounty programme to the public

Cloudflare, a provider of web infrastructure and security services, has announced the launch of its public bug bounty programme.

Bug hunters and security researchers can now report vulnerabilities found in Cloudflare products as part of the company's latest programme, which is hosted on HackerOne.

A private bounty program was previously launched in 2018, following a vulnerability disclosure programme in 2014. The company paid $211,512 in bounties during the lifetime of this programme, with 292 out of the 430 reports receiving a reward.

Rewards for Cloudflare's latest programme vary with the severity of the vulnerability. Each security flaw is assigned a severity rating based on the Common Vulnerability Scoring Standard (CVSS) version 3.

There is a $3,000 payment for a critical vulnerability report, while high, medium, and low vulnerabilities are worth $1,000, $500, and $250, respectively. However, rewards vary for secondary and other targets.

As a way to make vulnerability research easier, Cloudflare also developed a sandbox called CumulusFire, which provides a standardised playground for researchers to test their exploits. The sandbox will also assist Cloudflare’s security teams in reproducing potential exploits for analysis.

“CumulusFire has already helped us address the constant trickle of reports in which researchers would configure their origin server in an obviously insecure way, beyond default or expected settings, and then report that Cloudflare’s WAF does not block an attack. By policy, we will now only consider WAF bypasses a vulnerability if it is reproducible on CumulusFire,” explained Cloudflare.

A good place to start is to refer to the documentation on Cloudflare's developer and API portals, the Learning Center, and its support forums.

The firm also aims to add additional documentation, testing platforms, and a way for researchers to interact with its security teams to ensure submissions are valid.