CloudFlare Vulnerability Disclosure Policy
We take security, trust, and transparency seriously. CloudFlare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to CloudFlare and to recognize you for your effort to make the Internet a better place. This policy provides our guidelines for reporting vulnerabilities to CloudFlare.
If you believe you have found a security vulnerability that could impact CloudFlare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow CloudFlare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
Any web properties owned by CloudFlare are in scope for the program. Including:
Vulnerabilities for StopTheHacker should be reported at https://hackerone.com/stopthehacker.
CloudFlare customer sites are out of scope for our Vulnerability Disclosure program.
If you are a customer and have a password or account issue, please contact CloudFlare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.
Eligibility and Disclosure
In order for your submission to be eligible:
- You must agree to our Vulnerability Disclosure Policy.
- You must be the first person to responsibly disclose an unknown issue.
All legitimate reports will be reviewed and assessed by CloudFlare's security team to determine if it is eligible.
As mentioned in our Privacy and Security Policy, CloudFlare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive CloudFlare service rewards. We will find another way to recognize your effort.
For each eligible vulnerability report, the reporter will receive:
- Recognition on our Hall of Fame.
- A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.
- 12 months of CloudFlare's Pro or 1 month of Business service on us.
Monetary compensation is not offered under the program.
The following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.
- Physical attacks against CloudFlare employees, offices, and data centers.
- Social engineering of CloudFlare employees, contractors, vendors, or service providers.
- Knowingly posting, transmitting, uploading, linking to, or sending any malware.
- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.
- Any vulnerability obtained through the compromise of a CloudFlare customer or employee accounts. If you need to test a vulnerability, please create a free account.
- Being an individual on, or residing in any country on, any U.S. sanctions lists.