IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cloudflare opens $3,000 bug bounty programme to the public

The company's previous programme paid out around $212,000 over its lifetime

A person coding on a laptop computer

Cloudflare, a provider of web infrastructure and security services, has announced the launch of its public bug bounty programme.

Bug hunters and security researchers can now report vulnerabilities found in Cloudflare products as part of the company's latest programme, which is hosted on HackerOne.

A private bounty program was previously launched in 2018, following a vulnerability disclosure programme in 2014. The company paid $211,512 in bounties during the lifetime of this programme, with 292 out of the 430 reports receiving a reward.

Rewards for Cloudflare's latest programme vary with the severity of the vulnerability. Each security flaw is assigned a severity rating based on the Common Vulnerability Scoring Standard (CVSS) version 3.

There is a $3,000 payment for a critical vulnerability report, while high, medium, and low vulnerabilities are worth $1,000, $500, and $250, respectively. However, rewards vary for secondary and other targets.

As a way to make vulnerability research easier, Cloudflare also developed a sandbox called CumulusFire, which provides a standardised playground for researchers to test their exploits. The sandbox will also assist Cloudflare’s security teams in reproducing potential exploits for analysis.

“CumulusFire has already helped us address the constant trickle of reports in which researchers would configure their origin server in an obviously insecure way, beyond default or expected settings, and then report that Cloudflare’s WAF does not block an attack. By policy, we will now only consider WAF bypasses a vulnerability if it is reproducible on CumulusFire,” explained Cloudflare.

A good place to start is to refer to the documentation on Cloudflare's developer and API portals, the Learning Center, and its support forums.

The firm also aims to add additional documentation, testing platforms, and a way for researchers to interact with its security teams to ensure submissions are valid.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

What is Amazon S3?
Amazon S3

What is Amazon S3?

16 May 2022
EDB unveils world-first openly governed Kubernetes Postgres operator
Cloud

EDB unveils world-first openly governed Kubernetes Postgres operator

13 May 2022
How the cloud primed Markerstudy for an M&A spree
Cloud

How the cloud primed Markerstudy for an M&A spree

9 May 2022
Gaia-X: The last chance saloon for Europe’s visionary cloud project
Cloud

Gaia-X: The last chance saloon for Europe’s visionary cloud project

4 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022