Cloudflare starts public bug bounty program

Cloudflare is starting a public bug bounty program. The company rewards security researchers through HackerOne with payments of between $100 and $3,000 for finding vulnerabilities in the platform.

The new bug bounty program is largely the same as the private program Cloudflare has been offering since 2018. The main difference is that from now on the program will be operated via HackerOne. Cloudflare writes in a blog post that it plans to release more documentation and further professionalize the program in the near future, but the program will not fundamentally change. The public bug bounty program allows security researchers to report all vulnerabilities in any Cloudflare product.

Cloudflare does make a distinction between primary and secondary software, and a third category that calls it ‘other’. Primary targets include the 1.1.1.1 resolver or Pages, and secondary targets include APIs. The website or public repos on GitHub also fall within the scope, but under the ‘other’ category. Rewards range from $100 for a low score to $3,000 for a Critical bug in a primary target.

Cloudflare started in 2014 with a responsible disclosure policy, and in 2018 moved to a closed bug bounty program with rewards and defined scopes. Since then, the company says it has paid out $211,512 or about 187,000 euros in bug bounties. Nearly half of that was distributed in 2021. Since the official closed program started, 430 reports have been received, of which 292 led to a bug fix and associated reward. The program’s highest-earning participant earned a total of $54,800.