Cloudflare launches a paid public bug bounty program

Image: Tofan Teodor

Cloudflare, an American company focused on web infrastructure and website security, has announced the launch of a new public bug bounty program.

“Today we are launching Cloudflare’s paid public bug bounty program,” said Rushil Shah, a Product Security Engineer at Cloudflare.

“We believe bug bounties are a vital part of every security team’s toolbox and have been working hard on improving and expanding our private bug bounty program over the last few years.”

The new public bug bounty program follows a vulnerability disclosure program without cash bounties created in 2014. Through this program, Cloudflare received 1,197 reports, only 13% of them valid because researchers were struggling to understand its infrastructure and products.

In 2018, Cloudflare launched a private bug bounty program focused on providing a better experience for researchers. By mid-January 2022, Cloudflare awarded $211,512 worth of bounties for in-scope vulnerabilities, going up from $4,500 paid in 2018 to $101,075 in 2021.

The company also released a testing sandbox named CumlusFire before releasing the new public bounty program, which provides bug hunters with a standardized playground to test exploits.

Cloudflare’s new bug bounty program

Starting today, bug hunters can report security vulnerabilities found in Cloudflare products through the company’s new public bug bounty program, hosted on the HackerOne platform.

Researchers can find more info on Cloudflare’s products using the company’s Developer documentationAPI documentation, the Learning Center, and materials found on Cloudflare’s support forums.

The breakdown of bounty awards for targets based on the issues’ CVSS3 severity rating can be found in the table below.

Severity Critical (9.0 – 10.0) High (7.0 – 8.9) Medium (4.0 – 6.9) Low (0.1 – 3.9)
Primary Targets $3,000 $1,000 $500 $250
Secondary Targets $2,700 $750 $350 $200
Other $2,100 $500 $200 $100

Depending on a vulnerability’s mitigating factors and Cloudflare’s business risk assessment, the reported issues might receive a lower severity rating.

“Just as we grew our private program, we will continue to evolve our public bug bounty program to provide the best experience for researchers,” Shah added.

“We aim to add more documentation, testing platforms and a way to interact with our security teams so that researchers can be confident that their submissions represent valid security issues.”