[{"id":3769652,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Please avoid salami-style reporting of multiple reports. If you identify the same vulnerability on a subset of our products or multiple similar vulnerabilities on the same products, please submit one holistic report. \n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 5 days | 5 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n\n## Mediation\nCloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. \nPlease refer to https://docs.hackerone.com/en/articles/8466617-hacker-mediation for when and how to request mediation from HackerOne. \n\nIf you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via bugbounty@cloudflare.com. \n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"Turnstile bypass\",\"details\":\"Automated bypasses on Turnstile via a custom script will not be accepted.\"}","{\"category\":\"Demo and Test Applications\",\"details\":\"Reports targeting demo, test, or proof-of-concept (PoC) are not in scope for bounty. These are not intended for production use and offer no performance, security, or reliability guarantees.\"}","{\"category\":\"Demo and Test Applications - Quiche\",\"details\":\"For demo applications in quiche, \\n- please refer to disclaimer at  https://github.com/cloudflare/quiche\\n- we invite contributions to our open-source projects; please open a Pull Request (PR) with any fixes\\n- Reports may be considered for bounty if it is reproducible in the Cloudflare stack\"}"],"timestamp":"2026-02-13T00:50:32.255Z"},{"id":3768964,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Please avoid salami-style reporting of multiple reports. If you identify the same vulnerability on a subset of our products or multiple similar vulnerabilities on the same products, please submit one holistic report. \n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 5 days | 5 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n\n## Mediation\nCloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. \nPlease refer to https://docs.hackerone.com/en/articles/8466617-hacker-mediation for when and how to request mediation from HackerOne. \n\nIf you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via bugbounty@cloudflare.com. \n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"Turnstile bypass\",\"details\":\"Automated bypasses on Turnstile via a custom script will not be accepted.\"}","{\"category\":\"Demo and Test Applications\",\"details\":\"Reports targeting demo, test, or proof-of-concept (PoC) are not in scope for bounty. These are not intended for production use and offer no performance, security, or reliability guarantees.\"}"],"timestamp":"2026-01-29T19:53:12.374Z"},{"id":3768962,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Please avoid salami-style reporting of the same vulnerability class. If you identify the same vulnerability on a subset of our products or multiple similar vulnerabilities on the same products, please submit one holistic report. \n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 5 days | 5 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n\n## Mediation\nCloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. \nPlease refer to https://docs.hackerone.com/en/articles/8466617-hacker-mediation for when and how to request mediation from HackerOne. \n\nIf you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via bugbounty@cloudflare.com. \n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"Turnstile bypass\",\"details\":\"Automated bypasses on Turnstile via a custom script will not be accepted.\"}","{\"category\":\"Demo and Test Applications\",\"details\":\"Reports targeting demo, test, or proof-of-concept (PoC) are not in scope for bounty. These are not intended for production use and offer no performance, security, or reliability guarantees.\"}"],"timestamp":"2026-01-29T19:42:05.664Z"},{"id":3768200,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 5 days | 5 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n\n## Mediation\nCloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. \nPlease refer to https://docs.hackerone.com/en/articles/8466617-hacker-mediation for when and how to request mediation from HackerOne. \n\nIf you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via bugbounty@cloudflare.com. \n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"Turnstile bypass\",\"details\":\"Automated bypasses on Turnstile via a custom script will not be accepted.\"}","{\"category\":\"Demo and Test Applications\",\"details\":\"Reports targeting demo, test, or proof-of-concept (PoC) are not in scope for bounty. These are not intended for production use and offer no performance, security, or reliability guarantees.\"}"],"timestamp":"2026-01-12T10:46:54.015Z"},{"id":3767757,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 5 days | 5 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n\n## Mediation\nCloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. \nPlease refer to https://docs.hackerone.com/en/articles/8466617-hacker-mediation for when and how to request mediation from HackerOne. \n\nIf you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via bugbounty@cloudflare.com. \n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! \n\n**Holiday Season Update:**\nHello, bug bounty hunters! 🎯\nAs we navigate the holiday season, we’re temporarily slowing down the pace of triaging and awarding bounties. Rest assured, your submissions are safe in our inbox, and we’ll resume active work on them starting January 6th 2026.\nPlease note that critical reports, will continue to be prioritized during this time.\nThank you for your patience and support! Wishing you safe and happy holidays—we look forward to collaborating with you in the new year. 🐞🔍\n-Cloudflare Security","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"Turnstile bypass\",\"details\":\"Automated bypasses on Turnstile via a custom script will not be accepted.\"}","{\"category\":\"Demo and Test Applications\",\"details\":\"Reports targeting demo, test, or proof-of-concept (PoC) are not in scope for bounty. These are not intended for production use and offer no performance, security, or reliability guarantees.\"}"],"timestamp":"2025-12-23T18:28:00.101Z"},{"id":3766070,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 5 days | 5 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n\n## Mediation\nCloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. \nPlease refer to https://docs.hackerone.com/en/articles/8466617-hacker-mediation for when and how to request mediation from HackerOne. \n\nIf you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via bugbounty@cloudflare.com. \n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"Turnstile bypass\",\"details\":\"Automated bypasses on Turnstile via a custom script will not be accepted.\"}","{\"category\":\"Demo and Test Applications\",\"details\":\"Reports targeting demo, test, or proof-of-concept (PoC) are not in scope for bounty. These are not intended for production use and offer no performance, security, or reliability guarantees.\"}"],"timestamp":"2025-11-13T16:28:23.346Z"},{"id":3759613,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n\n## Mediation\nCloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. \nPlease refer to https://docs.hackerone.com/en/articles/8466617-hacker-mediation for when and how to request mediation from HackerOne. \n\nIf you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via bugbounty@cloudflare.com. \n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"Turnstile bypass\",\"details\":\"Automated bypasses on Turnstile via a custom script will not be accepted.\"}","{\"category\":\"Demo and Test Applications\",\"details\":\"Reports targeting demo, test, or proof-of-concept (PoC) are not in scope for bounty. These are not intended for production use and offer no performance, security, or reliability guarantees.\"}"],"timestamp":"2025-07-21T19:03:38.093Z"},{"id":3757145,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n\n## Mediation\nCloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. \nPlease refer to https://docs.hackerone.com/en/articles/8466617-hacker-mediation for when and how to request mediation from HackerOne. \n\nIf you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via bugbounty@cloudflare.com. \n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"Turnstile bypass\",\"details\":\"Automated bypasses on Turnstile via a custom script will not be accepted.\"}"],"timestamp":"2025-06-09T16:27:25.864Z"},{"id":3754504,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n\n## Mediation\nCloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. \nPlease refer to https://docs.hackerone.com/en/articles/8466617-hacker-mediation for when and how to request mediation from HackerOne. \n\nIf you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via bugbounty@cloudflare.com. \n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}"],"timestamp":"2025-04-28T17:47:59.294Z"},{"id":3754002,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n\n## Mediation\nCloudflare encourages hackers to Request Mediation directly on the reports when they feel the program does not honor commitments made on the policy page. Please provide as much context and reasoning for requesting mediation. \n\nIf you still feel dissatisfied or do not receive a response within 30-60 days, depending on the severity of your report, please escalate to the internal Cloudflare team via bugbounty@cloudflare.com. \n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}"],"timestamp":"2025-04-18T19:21:22.003Z"},{"id":3747133,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}"],"timestamp":"2024-12-23T20:57:23.466Z"},{"id":3747130,"new_policy":"Hello, bug bounty hunters! 🎯\n\nAs we navigate the holiday season, we’re temporarily slowing down the pace of triaging and awarding bounties. Rest assured, your submissions are safe in our inbox, and we’ll resume active work on them starting January 6th.\n\nPlease note that critical reports, including zero-days, will continue to be prioritized during this time.\n\nThank you for your patience and support! Wishing you safe and happy holidays—we look forward to collaborating with you in the new year. 🐞🔍\n\n-Cloudflare Security\n\n---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---\n\n# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}"],"timestamp":"2024-12-23T20:44:48.980Z"},{"id":3747127,"new_policy":"Hello, bug bounty hunters! 🎯\nAs we navigate the holiday season, we’re temporarily slowing down the pace of triaging and awarding bounties. Rest assured, your submissions are safe in our inbox, and we’ll resume active work on them starting January 6th.\nPlease note that critical reports, including zero-days, will continue to be prioritized during this time.\nThank you for your patience and support! Wishing you safe and happy holidays—we look forward to collaborating with you in the new year. 🐞🔍\n-Cloudflare Security\n\n---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---❄️---\n\n# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}"],"timestamp":"2024-12-23T20:37:59.871Z"},{"id":3746456,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n### Mergers and acquisitions\nWe encourage and appreciate researchers who report vulnerabilities in new Cloudflare products coming through mergers and acquisitions. However, findings are eligible for rewards at Cloudflare's sole discretion.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}"],"timestamp":"2024-12-12T10:28:03.023Z"},{"id":3742601,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}"],"timestamp":"2024-10-21T22:56:18.021Z"},{"id":3741224,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Access to enterprise features!\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"WAF Bypasses\",\"details\":\"WAF bypasses are out-of-scope unless used as part of a chain to demonstrate a different vulnerability on an in-scope asset\"}"],"timestamp":"2024-10-04T19:32:11.439Z"},{"id":3741221,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts\n✨ First look at new enterprise features and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"WAF Bypasses\",\"details\":\"WAF bypasses are out-of-scope unless used as part of a chain to demonstrate a different vulnerability on an in-scope asset\"}"],"timestamp":"2024-10-04T19:11:25.260Z"},{"id":3741139,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n\n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards\nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n\n## Big Bonanza\nWe're excited to announce an exclusive opportunity for our top-tier talent! Researchers who demonstrate excellence by submitting 2 valid critical severity reports or 4 valid high severity reports can request entry into our prestigious Cloudflare VIP Program.\n\nAs a member of the VIP program, you’ll unlock: \n\n✨ Exclusive access to test our cutting-edge Beta products \n✨ Opportunity to participate in special bug bounty campaigns \n✨ Higher bounty payouts\n✨ First look at new enterprise features and more!\n\nJoin our VIP program and take your bug hunting to the next level!\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"MITM or physical access to a user's device\",\"details\":\"Attacks requiring MITM or physical access to a user's device will not be accepted.\"}","{\"category\":\"Content quality issues like broken links, spelling errors etc\",\"details\":\"Reports detailing content quality issues like broken links, spelling errors etc. will not be accepted.\"}","{\"category\":\"Clickjacking on pages with no sensitive actions\",\"details\":\"Clickjacking on pages with no sensitive actions will not be accepted.\"}","{\"category\":\"Cloud resource takeovers\",\"details\":\"Cloud resource takeovers will not be accepted.\"}","{\"category\":\"Content spoofing and text injection issues\",\"details\":\"Content spoofing and text injection issues without showing an attack vector, or without being able to modify HTML/CSS will not be accepted.\"}","{\"category\":\"Email configuration issues\",\"details\":\"Email configuration issues without a PoC to demonstrate a specific flaw will not be accepted.\"}","{\"category\":\"Insecure origin server configuration\",\"details\":\"Exploits that require the victim to configure their origin server in an insecure and non-default/uncommon way will not be accepted.\"}","{\"category\":\"Suggestions on configuration documentation\",\"details\":\"Reports detailing missing best practice, configuration or policy suggestions, including SSL/TLS configurations will not be accepted.\"}","{\"category\":\"Lack of “Secure” or “HttpOnly” flag on non-sensitive cookies\",\"details\":\"Reports detailing a lack of “Secure” or “HttpOnly” flag on non-sensitive cookies will not be accepted.\"}","{\"category\":\"Open redirects\",\"details\":\"Reports detailing open redirects will not be accepted.\"}","{\"category\":\"Security tool output without a PoC\",\"details\":\"Output from security tools (such as automated scanners) without a PoC to demonstrate a specific vulnerability will not be accepted.\"}","{\"category\":\"Subdomain takeovers\",\"details\":\"Subdomain takeovers will not be accepted.\"}","{\"category\":\"Unauthenticated logout/login CSRF\",\"details\":\"Unauthenticated logout/login CSRF will not be accepted.\"}","{\"category\":\"Use of previously known vulnerable libraries\",\"details\":\"Use of previously known vulnerable libraries without a working Proof of Concept will not be accepted.\"}","{\"category\":\"Vulnerabilities in SaaS applications\",\"details\":\"Vulnerabilities in SaaS applications (unless the vulnerability is a result of a misconfiguration by Cloudflare) will not be accepted.\"}","{\"category\":\"XSS in Cloudflare workers\",\"details\":\"Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user\"}","{\"category\":\"XSS in Dash\",\"details\":\"We are aware of a sanitization library on dash.cloudflare.com causing XSS and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate. This exclusion will be removed once the issue is fixed.\"}","{\"category\":\"WAF Bypasses\",\"details\":\"WAF Bypasses\\nWAF bypasses are considered as an enhancement to our product rather than bugs, and any related reports will be closed out as Informative. Pls use this site to test: https://waf.cumulusfire.net/xss.\"}"],"timestamp":"2024-10-04T05:56:56.705Z"},{"id":3737214,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and takes security, trust, and transparency seriously. This program was developed to make vulnerability reporting easier and to recognize the efforts of all people striving to help make the Internet a better place.\n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to inform us right away. We will investigate all legitimate reports and do our best to quickly fix the problem.\n\n# What we expect from you\nBy participating in this program, you agree to the following program rules and guidelines in addition to HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines). Failure to follow these rules will lead to disqualification from the Cloudflare Bug Bounty program.\n \n## Program Rules\n* You must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of Cloudflare’s services and products during your research.\n* All attacks must be executed against your own Cloudflare Account. You can sign up for a free Cloudflare account and use it for testing.\n    * Accounts should be created with a `@wearehackerone.com` email address.\n* Do not perform tests against customers of Cloudflare. \n* Once you find a vulnerability, report it and reach out to us before you use the vulnerability to pivot across multiple in-scope assets.\n* Make sure that scanners have a narrow scope set that is [limited to authorized Cloudflare IPs only](https://cloudflare.com/ips). Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered tests against Cloudflare customers.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any program or script that might be considered malicious.\n* If your report is the product of collaboration, please add your collaborators _before the bounty_ is awarded.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Testing against Cloudflare customers, partners, service providers, suppliers, or vendors\n* Social engineering of Cloudflare employees/contractors, including but not limited to: pre-authenticated clickjacking, phishing, impersonating Cloudflare in emails or convincing customer support to do something on behalf of another user\n* Physical attacks against Cloudflare employees/contractors, offices, or data centers\n* Executing Denial of Service attacks against Cloudflare\n\n## Submitting a report\nWhen submitting a report, we expect that researchers:\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation.\n    * Reports without such a scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n    * Example: \"invite an attacker account into your organization\".\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Do not store any Cloudflare IP or PII information once the report is submitted.\n\nSubmitting high quality reports is highly encouraged and will speed up the triage and award process. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL\n* Description of a problem\n* Impact of an issue\n* Steps to reproduce or Proof of Concept\n* Is knowledge of this issue currently public?\n\n# What you can expect from us\n\n## Handling of reports\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Rewards \nWhen duplicates occur, we award only the first report that was received, provided that it can be fully reproduced. If multiple vulnerabilities are caused by one underlying issue, we reserve the right to award only one bounty. All reward decisions are at the sole discretion of Cloudflare.\n \n| Severity |  Critical | High | Medium  |  Low  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n| **Other**  | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\n\nV8 bugs are not in scope for this program. Please report them at [https://v8.dev/docs/security-bugs](https://v8.dev/docs/security-bugs).\n  \n## Reward Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n### Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n### Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n### Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n## Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n### XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n### Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n### Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n### WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n### Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n\n## Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n\n## Disclosure\nCloudflare strongly supports coordinated disclosure. Our pledge to you, a vulnerability reporter, is to respond promptly and to fix the vulnerability in the sensible timeframe and in exchange we ask you to coordinate the disclosure with us.\n\nCloudflare aims to resolve all the vulnerabilities within the 90 days and we ask you not to disclose the information before that time. If we won’t be able to uphold that commitment on our end, we will let you know (but the decision if you would like to publish after the 90 days will be yours).\n\nFor some of the submissions we might decide not to treat it as vulnerability or not to issue a bounty. Still, we would like you to coordinate the disclosure with us so we are prepared for it.\n\nOften we decide on the payout before the vulnerability is fixed so the reward is not a payment for your silence. Still, we really want to have a chance to fix the vulnerability before it can be used by a malicious actor. For this reason we ask you to let us know about any plans you might have regarding plans to present your findings in any way (like blog posts, articles, conference presentations etc.)\n\nAt the end of the day the decision on what to disclose and when to disclose it is yours and we would like to support you so feel free to share any drafts of your presentation or article before the publishing so we can even provide some feedback or share it with internal teams.\n\nWe have to mention however, that any actions done in bad faith might result in excluding malicious reporters from the program or, in case of disclosing Cloudflare or Cloudflare customers’ information (like PII, or other sensitive information) might even force us to take legal actions.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/). As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. \n\nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-27T22:50:33.874Z"},{"id":3737141,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical | High | Medium  |  Low  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n| **Other**  | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\n\nV8 bugs are not in scope for this program. Please report them at [https://v8.dev/docs/security-bugs](https://v8.dev/docs/security-bugs).\n\n# What you can expect from us\n\n## Response Times\nCloudflare will make best effort to handle reports within the following time frame. Note that all times are in business days.\n\n| First Response | Triage | Bounty | Resolution |\n| --- | --- | --- | --- |\n| 2 days | 2 days (from first response) | 10 days (from triage) | Depends on severity and complexity |\n\n## Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded.\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Please provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation. Reports without such scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n* Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\n\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\nCloudflare wants to review and approve any public disclosure. We approve disclosures when the issue is resolved or has passed 90 days since acceptance. \nIf you want to publicly share your research about Cloudflare at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 7 days prior to the publication date. Please note that the following should not be included:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-26T23:03:38.633Z"},{"id":3737140,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n#\"Any Updates?\" - Aka Microblog \nApril 2024\nWe have our newest May Mania! It is applicable for reports on Workers, a flagship Cloudflare product.\n\n**In-scope **\n\n1. [Workers Core Platform](https://developers.cloudflare.com/workers/)\n- Cron/Scheduled triggers\n- Workers Edge Preview\n2. [Workers KV](https://developers.cloudflare.com/kv/)\n- Workers KV API\n3. [Durable Objects](https://developers.cloudflare.com/durable-objects/)\n4. [Hyperdrive](https://developers.cloudflare.com/hyperdrive/)\n5. [Workerd](https://github.com/cloudflare/workerd)\n- The maximum reward for exploitable memory corruption issues remains $10,000\n6. [lol-html](https://github.com/cloudflare/lol-html)\n\n**Example In-Scope Attack Scenarios:**\n\n* Sandbox escape leading to code execution\n* Access to data of other customers (please create two accounts for testing)\n* Crashing the runtime in a way that affects other customers (workerd can be used to run workers locally)\n\n**Out-of-Scope:**\n\n* All other Workers-related products (Queues, D1 etc.)\n* Workers Playground / cloudflareworkers.com\n* Vulnerabilities in the Cloudflare Wrangler/Workers SDK tools\n* Issues with RBAC/privilege escalation within the same Cloudflare account\n* Exceeding free limits or resource limits unless this crashes the runtime\n* Bugs without a security impact or that cannot reasonably be exploited\n* Vulnerabilities related to payment abuse in WARP+ (eg. obtaining WARP+ for free)\n\nPlease note that for this campaign, it is mandatory to show a working proof of concept with all the detailed steps to reproduce it\n\n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Please provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation. Reports without such scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n* Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\nCloudflare wants to review and approve any public disclosure. We approve disclosures when the issue is resolved or has passed 90 days since acceptance. \nIf you want to publicly share your research about Cloudflare at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 7 days prior to the publication date. Please note that the following should not be included:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome to Cloudflare's public bug bounty program! ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-26T22:59:26.165Z"},{"id":3735397,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n#\"Any Updates?\" - Aka Microblog \nApril 2024\nWe have our newest May Mania! It is applicable for reports on Workers, a flagship Cloudflare product.\n\n**In-scope **\n\n1. [Workers Core Platform](https://developers.cloudflare.com/workers/)\n- Cron/Scheduled triggers\n- Workers Edge Preview\n2. [Workers KV](https://developers.cloudflare.com/kv/)\n- Workers KV API\n3. [Durable Objects](https://developers.cloudflare.com/durable-objects/)\n4. [Hyperdrive](https://developers.cloudflare.com/hyperdrive/)\n5. [Workerd](https://github.com/cloudflare/workerd)\n- The maximum reward for exploitable memory corruption issues remains $10,000\n6. [lol-html](https://github.com/cloudflare/lol-html)\n\n**Example In-Scope Attack Scenarios:**\n\n* Sandbox escape leading to code execution\n* Access to data of other customers (please create two accounts for testing)\n* Crashing the runtime in a way that affects other customers (workerd can be used to run workers locally)\n\n**Out-of-Scope:**\n\n* All other Workers-related products (Queues, D1 etc.)\n* Workers Playground / cloudflareworkers.com\n* Vulnerabilities in the Cloudflare Wrangler/Workers SDK tools\n* Issues with RBAC/privilege escalation within the same Cloudflare account\n* Exceeding free limits or resource limits unless this crashes the runtime\n* Bugs without a security impact or that cannot reasonably be exploited\n* Vulnerabilities related to payment abuse in WARP+ (eg. obtaining WARP+ for free)\n\nPlease note that for this campaign, it is mandatory to show a working proof of concept with all the detailed steps to reproduce it\n\n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Please provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation. Reports without such scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n* Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\nCloudflare wants to review and approve any public disclosure. We approve disclosures when the issue is resolved or has passed 90 days since acceptance. \nIf you want to publicly share your research about Cloudflare at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 7 days prior to the publication date. Please note that the following should not be included:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-07T15:06:54.785Z"},{"id":3732389,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n#\"Any Updates?\" - Aka Microblog \nApril 2024\nWe have our newest May Mania! It is applicable for reports on Workers, a flagship Cloudflare product.\n\n**In-scope **\n\n1. [Workers Core Platform](https://developers.cloudflare.com/workers/)\n- Cron/Scheduled triggers\n- Workers Edge Preview\n2. [Workers KV](https://developers.cloudflare.com/kv/)\n- Workers KV API\n3. [Durable Objects](https://developers.cloudflare.com/durable-objects/)\n4. [Hyperdrive](https://developers.cloudflare.com/hyperdrive/)\n5. [Workerd](https://github.com/cloudflare/workerd)\n- The maximum reward for exploitable memory corruption issues remains $10,000\n6. [lol-html](https://github.com/cloudflare/lol-html)\n\n**Example In-Scope Attack Scenarios:**\n\n* Sandbox escape leading to code execution\n* Access to data of other customers (please create two accounts for testing)\n* Crashing the runtime in a way that affects other customers (workerd can be used to run workers locally)\n\n**Out-of-Scope:**\n\n* All other Workers-related products (Queues, D1 etc.)\n* Workers Playground / cloudflareworkers.com\n* Vulnerabilities in the Cloudflare Wrangler/Workers SDK tools\n* Issues with RBAC/privilege escalation within the same Cloudflare account\n* Exceeding free limits or resource limits unless this crashes the runtime\n* Bugs without a security impact or that cannot reasonably be exploited\n* Vulnerabilities related to payment abuse in WARP+ (eg. obtaining WARP+ for free)\n\nPlease note that for this campaign, it is mandatory to show a working proof of concept with all the detailed steps to reproduce it\n\n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Please provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation. Reports without such scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n* Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\nCloudflare wants to review and approve any public disclosure. We approve disclosures when the issue is resolved or has passed 90 days since acceptance. \nIf you want to publicly share your research about Cloudflare at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 7 days prior to the publication date. Please note that the following should not be included:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":true,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-15T21:11:39.159Z"},{"id":3730094,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n#\"Any Updates?\" - Aka Microblog \nApril 2024\nWe have our newest May Mania! It is applicable for reports on Workers, a flagship Cloudflare product.\n\n**In-scope **\n\n1. [Workers Core Platform](https://developers.cloudflare.com/workers/)\n- Cron/Scheduled triggers\n- Workers Edge Preview\n2. [Workers KV](https://developers.cloudflare.com/kv/)\n- Workers KV API\n3. [Durable Objects](https://developers.cloudflare.com/durable-objects/)\n4. [Hyperdrive](https://developers.cloudflare.com/hyperdrive/)\n5. [Workerd](https://github.com/cloudflare/workerd)\n- The maximum reward for exploitable memory corruption issues remains $10,000\n6. [lol-html](https://github.com/cloudflare/lol-html)\n\n**Example In-Scope Attack Scenarios:**\n\n* Sandbox escape leading to code execution\n* Access to data of other customers (please create two accounts for testing)\n* Crashing the runtime in a way that affects other customers (workerd can be used to run workers locally)\n\n**Out-of-Scope:**\n\n* All other Workers-related products (Queues, D1 etc.)\n* Workers Playground / cloudflareworkers.com\n* Vulnerabilities in the Cloudflare Wrangler/Workers SDK tools\n* Issues with RBAC/privilege escalation within the same Cloudflare account\n* Exceeding free limits or resource limits unless this crashes the runtime\n* Bugs without a security impact or that cannot reasonably be exploited\n* Vulnerabilities related to payment abuse in WARP+ (eg. obtaining WARP+ for free)\n\nPlease note that for this campaign, it is mandatory to show a working proof of concept with all the detailed steps to reproduce it\n\n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Please provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation. Reports without such scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n* Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### Leaked credentials\nCloudflare appreciates researchers who take time to report leaked credentials. If you discover what looks like valid Cloudflare employee, customer or partner credentials, immediately submit a report to Cloudflare who will determine the validity of the leaked credentials. Please do not attempt to verify the validity of the credentials yourself by attempting to authenticate with the credentials. This makes triage more difficult, and will lead to the report being ineligible for a bounty. Additionally, keep in mind that Cloudflare cannot authorize testing against third-parties. **Under no circumstances should you use leaked Cloudflare employee, customer or partner credentials to access non-public information.**\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\nCloudflare wants to review and approve any public disclosure. We approve disclosures when the issue is resolved or has passed 90 days since acceptance. \nIf you want to publicly share your research about Cloudflare at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 7 days prior to the publication date. Please note that the following should not be included:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-19T10:10:47.614Z"},{"id":3724174,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n#\"Any Updates?\" - Aka Microblog \nApril 2024\nWe have our newest May Mania! It is applicable for reports on Workers, a flagship Cloudflare product.\n\n**In-scope **\n\n1. [Workers Core Platform](https://developers.cloudflare.com/workers/)\n- Cron/Scheduled triggers\n- Workers Edge Preview\n2. [Workers KV](https://developers.cloudflare.com/kv/)\n- Workers KV API\n3. [Durable Objects](https://developers.cloudflare.com/durable-objects/)\n4. [Hyperdrive](https://developers.cloudflare.com/hyperdrive/)\n5. [Workerd](https://github.com/cloudflare/workerd)\n- The maximum reward for exploitable memory corruption issues remains $10,000\n6. [lol-html](https://github.com/cloudflare/lol-html)\n\n**Example In-Scope Attack Scenarios:**\n\n* Sandbox escape leading to code execution\n* Access to data of other customers (please create two accounts for testing)\n* Crashing the runtime in a way that affects other customers (workerd can be used to run workers locally)\n\n**Out-of-Scope:**\n\n* All other Workers-related products (Queues, D1 etc.)\n* Workers Playground / cloudflareworkers.com\n* Vulnerabilities in the Cloudflare Wrangler/Workers SDK tools\n* Issues with RBAC/privilege escalation within the same Cloudflare account\n* Exceeding free limits or resource limits unless this crashes the runtime\n* Bugs without a security impact or that cannot reasonably be exploited\n* Vulnerabilities related to payment abuse in WARP+ (eg. obtaining WARP+ for free)\n\nPlease note that for this campaign, it is mandatory to show a working proof of concept with all the detailed steps to reproduce it\n\n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Please provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation. Reports without such scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n* Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\nCloudflare wants to review and approve any public disclosure. We approve disclosures when the issue is resolved or has passed 90 days since acceptance. \nIf you want to publicly share your research about Cloudflare at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 7 days prior to the publication date. Please note that the following should not be included:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-25T19:30:18.257Z"},{"id":3724171,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n#\"Any Updates?\" - Aka Microblog \nApril 2024\nWe have our newest May Mania! It is applicable for reports on Workers, a flagship Cloudflare product.\n\n**In-scope **\n\n1. Workers Core Platform\n- Cron/Scheduled triggers\n- Workers Edge Preview\n2. Workers KV\n- Workers KV API\n3. Durable Objects\n4. Hyperdrive\n5. Workerd\n- The maximum reward for exploitable memory corruption issues remains $10,000\n6. lol-html\n\n**Example In-Scope Attack Scenarios:**\n\n* Sandbox escape leading to code execution\n* Access to data of other customers (please create two accounts for testing)\n* Crashing the runtime in a way that affects other customers (workerd can be used to run workers locally)\n\n**Out-of-Scope:**\n\n* All other Workers-related products (Queues, D1 etc.)\n* Workers Playground / cloudflareworkers.com\n* Vulnerabilities in the Cloudflare Wrangler/Workers SDK tools\n* Issues with RBAC/privilege escalation within the same Cloudflare account\n* Exceeding free limits or resource limits unless this crashes the runtime\n* Bugs without a security impact or that cannot reasonably be exploited\n* Vulnerabilities related to payment abuse in WARP+ (eg. obtaining WARP+ for free)\n\nPlease note that for this campaign, it is mandatory to show a working proof of concept with all the detailed steps to reproduce it\n\n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Please provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation. Reports without such scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n* Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\nCloudflare wants to review and approve any public disclosure. We approve disclosures when the issue is resolved or has passed 90 days since acceptance. \nIf you want to publicly share your research about Cloudflare at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 7 days prior to the publication date. Please note that the following should not be included:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-25T19:20:33.143Z"},{"id":3710489,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n#\"Any Updates?\" - Aka Microblog\n* 23 October 2023: Cloudflare is starting H1 triage for first line of triage \n* 23 October 2023: New AI related scopes added, AI Gateway, Vectorize. Please check out our scope to learn more\n* 26 October 2023: We have updated our disclosure policy\n\n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Please provide a realistic attack scenario including prerequisites for an attack and expected gains after the exploitation. Reports without such scenario, with unrealistic assumptions or without meaningful outcomes will not be eligible for reward.\n* Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\nCloudflare wants to review and approve any public disclosure. We approve disclosures when the issue is resolved or has passed 90 days since acceptance. \nIf you want to publicly share your research about Cloudflare at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 7 days prior to the publication date. Please note that the following should not be included:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-10T07:14:34.349Z"},{"id":3705947,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n#\"Any Updates?\" - Aka Microblog\n* 23 October 2023: Cloudflare is starting H1 triage for first line of triage \n* 23 October 2023: New AI related scopes added, AI Gateway, Vectorize. Please check out our scope to learn more\n* 26 October 2023: We have updated our disclosure policy\n\n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\nCloudflare wants to review and approve any public disclosure. We approve disclosures when the issue is resolved or has passed 90 days since acceptance. \nIf you want to publicly share your research about Cloudflare at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 7 days prior to the publication date. Please note that the following should not be included:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-26T18:48:42.959Z"},{"id":3705946,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nCloudflare wants to review and approve any public disclosure. We approve disclosures when the issue is resolved or has passed 90 days since acceptance. \nIf you want to publicly share your research about Cloudflare at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 7 days prior to the publication date. Please note that the following should not be included:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-26T18:33:58.151Z"},{"id":3705560,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* Stream\n* 1.1.1.1 resolver\n* 1.1.1.1/WARP Android and iOS apps\n* Magic Transit\n* Cloudflare Pages\n* Cloudflare Workers\n* Cloudflare Tunnel\n* Spectrum\n* Load Balancing\n* AMP Real URL\n* CDNJS\n* Bot Management\n* WAF\n* WARP clients (desktop/mobile)\n* [workerd](https://github.com/cloudflare/workerd)\n* Cloudflare D1\n* Cloudflare DNS \n* Cloudflare CASB\n* Cloudflare Access \n*  Cache\n* Magic Firewall\n* Zaraz\n* China Network\n* API Shield\n* Gateway\n* Browser Isolation\n* Images\n* AI Platform (Constellation, Vectorize)\n* Workers KV\n* Hyperdrive\n* Durable Objects\n* Rate Limiting \n* Analytics\n* Turnstile\n* Waiting Room\n* Magic WAN\n* DLP\n* SSL/TLS\n\n## Scope: Secondary Targets\n* dash.cloudflare.com\n* one.dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* *.cloudflarepartners.com\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-20T19:05:42.581Z"},{"id":3705424,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare Zero Trust/Cloudflare One](https://www.cloudflare.com/en-gb/products/zero-trust/)\n* [WARP clients (desktop/mobile](https://1.1.1.1/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* dash.teams.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-18T23:02:48.468Z"},{"id":3686270,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare Zero Trust/Cloudflare One](https://www.cloudflare.com/en-gb/products/zero-trust/)\n* [WARP clients (desktop/mobile](https://1.1.1.1/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* dash.teams.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are considered innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-18T10:43:48.625Z"},{"id":3686269,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare Zero Trust/Cloudflare One](https://www.cloudflare.com/en-gb/products/zero-trust/)\n* [WARP clients (desktop/mobile](https://1.1.1.1/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* dash.teams.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informative. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing. WAF bypasses that are very innovative or interesting may receive a bonus at the program's discretion. WAF bypass reports may also be closed as Duplicate if they are similar to past submissions.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-18T10:39:48.839Z"},{"id":3685578,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nExploitable memory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare Zero Trust/Cloudflare One](https://www.cloudflare.com/en-gb/products/zero-trust/)\n* [WARP clients (desktop/mobile](https://1.1.1.1/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* dash.teams.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-30T16:05:29.846Z"},{"id":3684183,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nMemory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare Zero Trust/Cloudflare One](https://www.cloudflare.com/en-gb/products/zero-trust/)\n* [WARP clients (desktop/mobile](https://1.1.1.1/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* dash.teams.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n* Issues with apps on the Cloudflare marketplace that are created by third parties\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-01T17:42:03.160Z"},{"id":3684115,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nMemory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare Zero Trust/Cloudflare One](https://www.cloudflare.com/en-gb/products/zero-trust/)\n* [WARP clients (desktop/mobile](https://1.1.1.1/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* dash.teams.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n* All Area1 products are currently out of scope\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-27T11:44:22.573Z"},{"id":3682303,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nMemory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare Zero Trust/Cloudflare One](https://www.cloudflare.com/en-gb/products/zero-trust/)\n* [WARP clients (desktop/mobile](https://1.1.1.1/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* dash.teams.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Attacks to servers under *.cdn.cloudflare.net (These servers belong to our customers and are not maintained by Cloudflare).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-20T16:08:10.408Z"},{"id":3681590,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nMemory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare Zero Trust/Cloudflare One](https://www.cloudflare.com/en-gb/products/zero-trust/)\n* [WARP clients (desktop/mobile](https://1.1.1.1/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* dash.teams.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-03T10:52:31.740Z"},{"id":3678930,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nMemory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* dash.teams.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-24T13:35:50.178Z"},{"id":3677754,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nMemory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\nV8 bugs are not in scope for this program. Please report them at https://v8.dev/docs/security-bugs.\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-27T22:00:22.473Z"},{"id":3677741,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nMemory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n* [workerd](https://github.com/cloudflare/workerd)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-27T17:13:40.253Z"},{"id":3677721,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\nMemory corruption reports in [workerd](https://github.com/cloudflare/workerd) will be awarded $10,000.\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-27T13:35:41.914Z"},{"id":3677511,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n* Open redirects without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-21T10:32:46.474Z"},{"id":3677260,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n* SaaS applications, even if published under the cloudflare.com domain. \n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-13T10:31:26.145Z"},{"id":3673186,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The following cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-22T09:34:33.299Z"},{"id":3673153,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. You can sign up for a free Cloudflare account and use it for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The followinf cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-21T10:23:49.313Z"},{"id":3673130,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility \nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\n* Follow the testing guidelines set above.\n* All attacks must be executed against your own test environment. Cloudflare provides free accounts that can be used for testing. **DO NOT ATTACK CLOUDFLARE'S CUSTOMERS.**\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\n\n# Disclosure\n\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share a draft with us for review and approval at least 7 days prior to the publication date. The followinf cannot be included in your publication:\n* Data regarding any Cloudflare customer instances\n* Cloudflare customers' data\n* information about Cloudflare employees, contractors or partners\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-20T18:02:37.533Z"},{"id":3672652,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* Once you find a vulnerability, report it and reach out to us before pivoting \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n* Do not store any Cloudflare IP or PII information once the report is submitted\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share your plans with us for review and approval at least 7 days prior to the publish date. You may not include information regarding any of our customer instances or data as well as any Cloudflare employee information.\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-13T17:49:37.575Z"},{"id":3670931,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share your plans with us for review and approval at least 7 days prior to the publish date. You may not include information regarding any of our customer instances or data as well as any Cloudflare employee information.\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-06T22:33:45.950Z"},{"id":3666966,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share your plans with us for review and approval at least 7 days prior to the publish date. You may not include information regarding any of our customer instances or data.\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-23T18:15:25.426Z"},{"id":3666965,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share your plans with us for review and approval at least 7 days prior to the publish date. You may not include information regarding any of our customer instances or data.\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-23T18:14:42.427Z"},{"id":3666963,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n**Note:** WAF Bypasses may be awarded up to $50 at the program's discretion.\n\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share your plans with us for review and approval at least 7 days prior to the publish date. You may not include information regarding any of our customer instances or data.\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-23T18:02:57.410Z"},{"id":3666135,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n**Note:** WAF Bypass - We consider WAF bypasses an enhancement to our WAF product rather than bugs. These bypasses will be awarded a payout of $50.\n\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned cloud resources\nWe consider fixes for reported broken links, including links to abandoned cloud resources, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Cloud resource takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share your plans with us for review and approval at least 7 days prior to the publish date. You may not include information regarding any of our customer instances or data.\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-04T10:56:50.630Z"},{"id":3665697,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n**Note:** WAF Bypass - We consider WAF bypasses an enhancement to our WAF product rather than bugs. These bypasses will be awarded a payout of $50.\n\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned buckets\nWe consider fixes for reported broken links, including links to abandoned buckets, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Bucket takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share your plans with us for review and approval at least 7 days prior to the publish date. You may not include information regarding any of our customer instances or data.\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-01T17:09:31.876Z"},{"id":3665695,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers, and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the [Cloudflare support forums](https://community.cloudflare.com/).\n \n# Rewards\nCloudflare awards bounties based on severity using the Common Vulnerability Scoring Standard (CVSS) version 3.\n \nPlease note that these are general guidelines for rewards, and that reward decisions are at the discretion of Cloudflare. Issues may receive a lower severity rating due to mitigating factors, Cloudflare’s assessment of business risk, or other context. All pricing is in USD.\n \n| Severity |  Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9)  |   Low (0.1 - 3.9)  |\n| --- | --- | --- | --- | --- |\n| **Primary Targets**  | $3,000   |  $1,000   |  $500   | $250 |\n| **Secondary Targets**  |  $2,700    |  $750   |  $350   |   $200  |\n|**Other** | $2,100 | $500 | $200 | $100 |\n**Note:** WAF Bypass - We consider WAF bypasses an enhancement to our WAF product rather than bugs. These bypasses will be awarded a payout of $50.\n\n\n# Response Times\n* First Response: 2 days \n* Time to Triage: 2 days\n* Time to Bounty: 10 days\n* Time to Resolution: depends on severity and complexity\n\n# Collaborate with other hackers!\nIf your report is the product of collaboration, please add your collaborators before a bounty is awarded. [Let us know here](https://docs.google.com/forms/d/e/1FAIpQLSdGCbnBDcATSFeByRG0f5pBMRpEAzuJ0wXPC3jlscp3F7qOwg/viewform?urp=gmail_link) if you have questions!\n \n# Program Rules\n* By participating in this program, you agree to not discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside of the program without explicit consent from Cloudflare, except as provided below.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Eligibility for rewards is at Cloudflare’s sole discretion.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities in order to demonstrate impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.\n \n# Scope\nPlease see our classifications for primary targets and secondary targets. We may still reward reports with significant security impact on anything owned by Cloudflare, so we encourage you to report such bugs via this program.\n \n## Scope: Primary Targets\nProducts listed under the Cloudflare Products tab on [our website](https://www.cloudflare.com/) are in scope as a primary target, excluding our China network which is hosted by a partner. Current in scope products include:\n* [Stream](https://developers.cloudflare.com/stream/getting-started/)\n* [1.1.1.1 resolver](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/)\n* 1.1.1.1/WARP Android and iOS apps\n* [Magic Transit](https://developers.cloudflare.com/magic-transit/)\n* [Cloudflare Pages](https://pages.cloudflare.com/)\n* [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n* [Argo/Argo tunnel](https://developers.cloudflare.com/argo-tunnel/quickstart/)\n* [Spectrum](https://developers.cloudflare.com/spectrum/getting-started/)\n* [Load Balancing](https://developers.cloudflare.com/load-balancing/about/)\n* AMP Real URL\n* CDNJS\n* [Bot Management](https://developers.cloudflare.com/bots/)\n* Cloudflare Marketplace (platform only)*\n* [WAF](https://developers.cloudflare.com/waf/change-log/)\n* [Cloudflare for Teams](https://www.cloudflare.com/teams/)\n \n*Cloudflare Marketplace scope only covers the platform for browsing and enabling apps on to customer zones. Issues with apps on the marketplace that are created by third parties and are out of scope, but may be reviewed on a case-by-case basis at Cloudflare’s discretion.\n \n## Scope: Secondary Targets\n* dash.cloudflare.com\n* APIs listed on api.cloudflare.com\n \n## Scope: Other\n*  *.cloudflare.com (e.g. blog.cloudflare.com, www.cloudflare.com, community.cloudflare.com, etc.)\n* Open source products created by Cloudflare (github.com/cloudflare)\n* Anything owned by Cloudflare not listed in primary targets (e.g. cloudflareworkers.com, rpki.cloudflare.com, etc.)\n \n \n# Ineligible Vulnerability Types\nCloudflare does not consider the following to be eligible vulnerabilities under this program. In most cases, these issues will be closed as **Not Applicable:**\n\n## XSS in Cloudflare workers\nThe entire purpose of Workers is to allow customers to run their own Javascript, called from their website. As a consequence, it will be possible for visitors to the site to explicitly call those functions. However, Workers runs in an Iframe sandbox, disconnected from the rest of the customer's website. XSS attacks only impact security if they can run in the context of  dash.cloudflare.com or any domain where it affects the currently logged-in Cloudflare user.\n(https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)\n\n## Security issue on origin server\nA vulnerability is out of scope if it exists on the origin server and not in a service that Cloudflare provides. If an exploit relies on the reporter configuring their origin in an insecure and non-default/uncommon way (for example, think cache-poisoning, subdomain takeovers, etc.), we cannot fix the vulnerability.\n\n## Social Engineering\nAny form of social engineering attack will be considered out of scope. For example:\n* Pre-authenticated Clickjacking\n* Phishing\n* Impersonating Cloudflare in emails\n* Convincing customer support to do something on behalf of another user\n\n## WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs, and any related reports will be closed out as Informational. All WAF bypass reports need to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n \n## Broken Links and abandoned buckets\nWe consider fixes for reported broken links, including links to abandoned buckets, as enhancements to our products and websites rather than bugs. Reports of broken links will not be awarded. Bucket takeovers will be awarded a payout of $50 unless an actual vulnerability is demonstrated by a proof-of-concept. If a PoC is provided, it will be awarded in accordance with the standard rewards table.\n\n# Out of Scope\nWe will accept out of scope reports and evaluate them on a case-by-case basis in our sole discretion. \n\nThe following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under *.cdn.cloudflare.net\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.\n* Lack of Secure or HTTP only flag on non-sensitive cookies.\n* Email configuration issues without a PoC to demonstrate a specific flaw.\n* Broken links without demonstrating an attack\n \nNote: We have identified a problem in our sanitization library on dash.cloudflare.com which can cause XSS. We are aware of the issue and are working to fix it. We will not award bounties for XSS reported on dash.cloudflare.com as it would be a duplicate report. Thank you to the researchers who originally reported this issue. This note will be removed once the issue is fixed.\n \nNote: Mobilesdk is a product that we are sunsetting. Bounty for reports on this product will be awarded on a case-by-case basis at our sole discretion.\nAny of the activities below will result in disqualification from the program permanently:\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities. \n* Attempts to access/compromise customer assets that use Cloudflare.\n* Attempts to access/compromise Cloudflare's China network.\n* Attempts to access/compromise any 3rd party vendor that Cloudflare uses.\n* Attacks against the integrity of Cloudflare customers.\n \n# Guidelines for Testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare Bug Bounty program.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n \n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n \n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will help you create a report that is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n \n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to this policy.\n* You must be the first person to responsibly disclose an unknown issue.\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine eligibility.\nWe permit you to disclose your research publicly, subject to our review and approval, once the issue has been resolved or 90 days has passed, whichever comes first. If you are planning to share information about your research publicly at a conference, in a blog, or any other public forum, you agree to share your plans with us for review and approval at least 7 days prior to the publish date. You may not include information regarding any of our customer instances or data.\n \n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n \nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We may find another way to recognize your effort at our discretion.\n \nThis program is not open to any individual on, or anyone residing in any country on, any U.S. sanctions lists. Cloudflare employees and their family members are not eligible for bounties.\n \nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n \n# Legal Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we may take steps to make it known that your actions were conducted in compliance with this policy in our sole discretion. Cloudflare cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-01T16:58:47.985Z"},{"id":3660784,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the Cloudflare [support forums](https://community.cloudflare.com/).\n\n# Private Bug Bounty Program\nCloudflare runs a private bug bounty program. If you submit a valid report on bounty-eligible assets through our disclosure program, we will transfer your report to our bug bounty program and invite you as a participant.  \n\n# Scope\nAll Cloudflare products are in scope for reporting. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.\n\n# Out of Scope\nThe following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under `*.cdn.cloudflare.net`\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n* Lack of Secure or HTTP only flag on non-sensitive cookies\n* Email configuration issues without a PoC to demonstrate a specific flaw\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities.\n* Customer assets that use Cloudflare\n* Cloudflare's China network\n* Any 3rd party vendor that Cloudflare uses\n* Attacks against the integrity of Cloudflare customers.\n\n# Guidelines for Testing\nPlease be considerate when testing our infrastructure.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### WAF Bypasses\nWe consider WAF bypasses an enhancement to our WAF product rather than bugs and will be closed out as Informational. Additionally, any XSS WAF bypass reported needs to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n\n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n\n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to our [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/).\n* You must be the first person to responsibly disclose an unknown issue.\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\n\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time. Cloudflare employees and their family members are not eligible for bounties.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time, but we won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Cloudflare employees and their family members are not eligible for bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-29T09:01:53.516Z"},{"id":3652798,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the Cloudflare [support forums](https://community.cloudflare.com/).\n\n# Private Bug Bounty Program\nCloudflare runs a private bug bounty program. If you submit a valid report on bounty-eligible assets through our disclosure program, we will transfer your report to our bug bounty program and invite you as a participant.  \n\n# Scope\nAll Cloudflare products are in scope for reporting. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.\n\n# Out of Scope\nThe following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Subdomain takeovers under `*.cdn.cloudflare.net`\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n* Lack of Secure or HTTP only flag on non-sensitive cookies\n* Email configuration issues without a PoC to demonstrate a specific flaw\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities.\n* Customer assets that use Cloudflare\n* Cloudflare's China network\n* Any 3rd party vendor that Cloudflare uses\n* Attacks against the integrity of Cloudflare customers.\n\n# Guidelines for Testing\nPlease be considerate when testing our infrastructure.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### XSS WAF Bypasses\nWe consider WAF XSS bypasses an enhancement to our WAF product rather than bugs and will be closed out as Informational. Any XSS WAF bypass reported needs to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n\n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n\n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to our [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/).\n* You must be the first person to responsibly disclose an unknown issue.\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\n\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time. Cloudflare employees and their family members are not eligible for bounties.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time, but we won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Cloudflare employees and their family members are not eligible for bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-27T18:12:06.310Z"},{"id":3643807,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the Cloudflare [support forums](https://community.cloudflare.com/).\n\n# Private Bug Bounty Program\nCloudflare runs a private bug bounty program. If you submit a valid report on bounty-eligible assets through our disclosure program, we will transfer your report to our bug bounty program and invite you as a participant.  \n\n# Scope\nAll Cloudflare products are in scope for reporting. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.\n\n# Out of Scope\nThe following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n* Lack of Secure or HTTP only flag on non-sensitive cookies\n* Email configuration issues without a PoC to demonstrate a specific flaw\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities.\n* Customer assets that use Cloudflare\n* Cloudflare's China network\n* Any 3rd party vendor that Cloudflare uses\n* Attacks against the integrity of Cloudflare customers.\n\n# Guidelines for Testing\nPlease be considerate when testing our infrastructure.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### XSS WAF Bypasses\nWe consider WAF XSS bypasses an enhancement to our WAF product rather than bugs and will be closed out as Informational. Any XSS WAF bypass reported needs to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n\n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n\n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to our [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/).\n* You must be the first person to responsibly disclose an unknown issue.\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\n\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time. Cloudflare employees and their family members are not eligible for bounties.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time, but we won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Cloudflare employees and their family members are not eligible for bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-15T17:14:42.040Z"},{"id":3643689,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the Cloudflare [support forums](https://community.cloudflare.com/).\n\n# Private Bug Bounty Program\nCloudflare runs a private bug bounty program. If you submit a valid report on bounty-eligible assets through our disclosure program, we will transfer your report to our bug bounty program and invite you as a participant.  \n\n# Scope\nAll Cloudflare products are in scope for reporting. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.\n\n# Out of Scope\nThe following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n* Lack of Secure or HTTP only flag on non-sensitive cookies\n* Email configuration issues without a PoC to demonstrate a specific flaw\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities.\n* Customer assets that use Cloudflare\n* Cloudflare's China network\n* Any 3rd party vendor that Cloudflare uses\n* Attacks against the integrity of Cloudflare customers.\n\n# Guidelines for Testing\nPlease be considerate when testing our infrastructure.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### XSS WAF Bypasses\nWe consider WAF XSS bypasses an enhancement to our WAF product rather than bugs. Any XSS WAF bypass reported needs to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n\n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n\n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to our [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/).\n* You must be the first person to responsibly disclose an unknown issue.\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\n\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time. Cloudflare employees and their family members are not eligible for bounties.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time, but we won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Cloudflare employees and their family members are not eligible for bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-12T19:51:58.273Z"},{"id":3628435,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the Cloudflare [support forums](https://community.cloudflare.com/).\n\n# Private Bug Bounty Program\nCloudflare runs a private bug bounty program. If you submit a valid report on bounty-eligible assets through our disclosure program, we will transfer your report to our bug bounty program and invite you as a participant.  \n\n# Scope\nAll Cloudflare products are in scope for reporting. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.\n\n# Out of Scope\nThe following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n* Lack of Secure or HTTP only flag on non-sensitive cookies\n* Email configuration issues without a PoC to demonstrate a specific flaw\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities.\n* Customer assets that use Cloudflare\n* Cloudflare's China network\n* Any 3rd party vendor that Cloudflare uses\n* Attacks against the integrity of Cloudflare customers.\n\n# Guidelines for Testing\nPlease be considerate when testing our infrastructure.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### XSS WAF Bypasses\nAny XSS WAF bypass reported needs to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n\n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n\n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to our [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/).\n* You must be the first person to responsibly disclose an unknown issue.\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\n\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time. Cloudflare employees and their family members are not eligible for bounties.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time, but we won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Cloudflare employees and their family members are not eligible for bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-15T20:31:42.230Z"},{"id":3623518,"new_policy":"# Our Values\nCloudflare appreciates the work of security researchers and we take security, trust, and transparency seriously. We developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your efforts to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the Cloudflare [support forums](https://community.cloudflare.com/).\n\n# Private Bug Bounty program\nCloudflare runs a private bug bounty program for researchers. In order to be eligible to participate in this program, you should have reported 3 valid bugs or a critical severity bug in this program.\n\n# Scope\nAll Cloudflare products are in scope for reporting. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.\n\n# Out of Scope\nThe following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n* Lack of Secure or HTTP only flag on non-sensitive cookies\n* Email configuration issues without a PoC to demonstrate a specific flaw\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee account. Please create a free account to test potential vulnerabilities.\n* Customer assets that use Cloudflare\n* Cloudflare's China network\n* Any 3rd party vendor that Cloudflare uses\n* Attacks against the integrity of Cloudflare customers.\n\n# Guidelines for Testing\nPlease be considerate when testing our infrastructure.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n### XSS WAF Bypasses\nAny XSS WAF bypass reported needs to be reproducible on our test site https://waf.cumulusfire.net/xss. You are free to use this site for testing.\n\n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n\n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to our [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/).\n* You must be the first person to responsibly disclose an unknown issue.\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\n\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time. Cloudflare employees and their family members are not eligible for bounties.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time, but we won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Cloudflare employees and their family members are not eligible for bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-12T21:24:33.168Z"},{"id":3616501,"new_policy":"# Our Values\nWe take security, trust, and transparency *seriously*. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your effort to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the Cloudflare [support forums](https://community.cloudflare.com/).\n\n# Scope\nAll Cloudflare products are in scope for reporting. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.\n\n# Out of Scope\nThe following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n* Lack of Secure or HTTP only flag on non-sensitive cookies\n* Email configuration issues without a PoC to demonstrate a specific flaw\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee accounts. If you need to test a vulnerability, please create a free account.\n* Attacks against the integrity of Cloudflare customers.\n\n# Guidelines for Testing\nPlease be considerate when testing our infrastructure.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n\n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to our [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/).\n* You must be the first person to responsibly disclose an unknown issue.\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\n\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time. Cloudflare employees and their family members are not eligible for bounties.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time, but we won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Cloudflare employees and their family members are not eligible for bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-16T16:23:05.038Z"},{"id":3616191,"new_policy":"# Our Values\nWe take security, trust, and transparency *seriously*. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your effort to make the Internet a better place.\n\nFor research into our products, good starting points include our [Developer documentation](https://developers.cloudflare.com/docs/), [API documentation](https://api.cloudflare.com/#getting-started-endpoints), the [Learning Center](https://www.cloudflare.com/learning/), and any material on the Cloudflare [support forums](https://community.cloudflare.com/).\n\n# Scope\nPlease see the **Scope** section below to determine what is eligible for submission to the bounty program. We may still reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.\n\n# Out of Scope\nThe following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing Best Practice, Configuration or Policy Suggestions including SSL/TLS configurations.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n* Lack of Secure or HTTP only flag on non-sensitive cookies\n* Email configuration issues without a PoC to demonstrate a specific flaw\n* Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n* Physical attacks against Cloudflare employees, offices, and data centers.\n* Any Denial of Service attacks against Cloudflare and our products.\n* Any vulnerability obtained through the compromise of a Cloudflare customer or employee accounts. If you need to test a vulnerability, please create a free account.\n* Attacks against the integrity of Cloudflare customers.\n\n# Guidelines for Testing\nPlease be considerate when testing our infrastructure.\n* Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.\n* Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n* Do not knowingly post, transmit, upload, link to, or send any malware.\n* Do not attack Cloudflare customers, partners or suppliers.\n* Testing should be done from a Cloudflare account associated with your @wearehackerone.com email address.\n\n# Reporting\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/) and HackerOne's [Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines) and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\n# Recommended Report Format\nSubmitting high quality reports is highly encouraged. Please address the following bits of information in your report to demonstrate the quality of the vulnerability. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all the information needed by Cloudflare.\n* Affected target, feature, or URL:\n* Description of problem:\n* Impact of the issue:\n* Steps to reproduce:\n* Proof of Concept:\n* Is knowledge of this issue currently public?\n\n# Eligibility and Disclosure\nIn order for your submission to be eligible:\n* You must agree to our [Vulnerability Disclosure Policy](https://www.cloudflare.com/disclosure/).\n* You must be the first person to responsibly disclose an unknown issue.\n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible.\n\n# Privacy Policy, Restrictions and Taxes\nCloudflare maintains both a [privacy policy](https://www.cloudflare.com/privacypolicy/) and [transparency report](https://www.cloudflare.com/transparency/).\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\n\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time. Cloudflare employees and their family members are not eligible for bounties.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time, but we won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Cloudflare employees and their family members are not eligible for bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-13T15:20:47.344Z"},{"id":3591110,"new_policy":"#Cloudflare Vulnerability Disclosure Policy\nWe take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your effort to make the Internet a better place. \n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\nSubmitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a \"proof of concept\" that allows us to reproduce the issue. \n\nVery low quality reports such as those which only contain automated output will be rejected.\n\n**DO NOT** submit the following as they will also be rejected:\n- Missing Best Practice, Configuration or Policy Suggestions\n- Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n- Any domains other than *.cloudflare.com\n- Logout Cross Site Request Forgery\n- Lack of Secure or HTTP only flag on non-sensitive cookies\n- Email configuration issues without a PoC to demonstrate a specific flaw\n\n#Scope\nAny web properties owned by Cloudflare are in scope for the program.\n\n- *.cloudflare.com\n\nCustomers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.\n\n**Customers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.**\n\nFinally, If you are a customer and have a password or account issue, please contact Cloudflare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.\n\n# Recommended Report Format\nPlease address the following bits of information in your report. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all information needed by Cloudflare.\n - Affected target, feature, or URL:\n - Description of problem:\n - Impact of the issue:\n - Steps to reproduce:\n - Proof of Concept:\n - Is knowledge of this issue currently public?\n\n\n#Eligibility and Disclosure\nIn order for your submission to be eligible:\n\n- You must agree to our Vulnerability Disclosure Policy.\n- You must be the first person to responsibly disclose an unknown issue. \n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible. \n\n#Guidelines for testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare bugbounty program.\n\n- Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.  \n- Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n- Do not knowingly post, transmit, upload, link to, or send any malware.\n- Do not attack Cloudflare customers, partners or suppliers.\n\nAdditionally, the following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.\n\n- Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n- Physical attacks against Cloudflare employees, offices, and data centers.\n- Any vulnerability obtained through the compromise of a Cloudflare customer or employee accounts.  If you need to test a vulnerability, please create a free account.\n- Being an individual on, or residing in any country on, any U.S. sanctions lists.\n\n#Privacy Policy, Restrictions and Taxes\nCloudflare's privacy policy can be found here: https://www.cloudflare.com/security-policy/\nCloudflare's transparency report can be found here: https://www.cloudflare.com/transparency/\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-10T18:42:20.048Z"},{"id":3586496,"new_policy":"#Cloudflare Vulnerability Disclosure Policy\nWe take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your effort to make the Internet a better place. \n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\nSubmitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a \"proof of concept\" that allows us to reproduce the issue. \n\nVery low quality reports such as those which only contain automated output will be rejected.\n\n**DO NOT** submit the following as they will also be rejected:\n- Missing Best Practice, Configuration or Policy Suggestions\n- Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n- Any domains other than *.cloudflare.com\n- Logout Cross Site Request Forgery\n- Lack of Secure or HTTP only flag on non-sensitive cookies\n- Email configuration issues without a PoC to demonstrate a specific flaw\n\n#Scope\nAny web properties owned by Cloudflare are in scope for the program.\n\n- *.cloudflare.com\n\nCustomers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.\n\n**Customers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.**\n\nFinally, If you are a customer and have a password or account issue, please contact Cloudflare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.\n\n# Recommended Report Format\nPlease address the following bits of information in your report. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all information needed by Cloudflare.\n - Affected target, feature, or URL:\n - Description of problem:\n - Impact of the issue:\n - Steps to reproduce:\n - Proof of Concept:\n - Is knowledge of this issue currently public?\n\n\n#Eligibility and Disclosure\nIn order for your submission to be eligible:\n\n- You must agree to our Vulnerability Disclosure Policy.\n- You must be the first person to responsibly disclose an unknown issue. \n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible. \n\n#Rewards\nFor each eligible vulnerability report, the reporter will receive:\n\n- Recognition on our Hall of Fame.\n- A limited edition Cloudflare bug hunter t-shirt. Cloudflare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.\n- 12 months of Cloudflare's Pro or 1 month of Business service on us. \n\nMonetary compensation is not currently offered under this program.\n\n#Guidelines for testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare bugbounty program.\n\n- Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.  \n- Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n- Do not knowingly post, transmit, upload, link to, or send any malware.\n- Do not attack Cloudflare customers, partners or suppliers.\n\nAdditionally, the following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.\n\n- Social engineering of Cloudflare employees, contractors, vendors, or service providers.\n- Physical attacks against Cloudflare employees, offices, and data centers.\n- Any vulnerability obtained through the compromise of a Cloudflare customer or employee accounts.  If you need to test a vulnerability, please create a free account.\n- Being an individual on, or residing in any country on, any U.S. sanctions lists.\n\n#Privacy Policy, Restrictions and Taxes\nCloudflare's privacy policy can be found here: https://www.cloudflare.com/security-policy/\nCloudflare's transparency report can be found here: https://www.cloudflare.com/transparency/\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-22T15:33:28.535Z"},{"id":3586495,"new_policy":"#Cloudflare Vulnerability Disclosure Policy\nWe take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your effort to make the Internet a better place. \n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\nSubmitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a \"proof of concept\" that allows us to reproduce the issue. \n\nVery low quality reports such as those which only contain automated output will be rejected.\n\n**DO NOT** submit the following as they will also be rejected:\n- Missing Best Practice, Configuration or Policy Suggestions\n- Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n- Any domains other than *.cloudflare.com\n- Logout Cross Site Request Forgery\n- Lack of Secure or HTTP only flag on non-sensitive cookies\n- Email configuration issues without a PoC to demonstrate a specific flaw\n\n#Scope\nAny web properties owned by Cloudflare are in scope for the program.\n\n- *.cloudflare.com\n\nCustomers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.\n\n**Customers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.**\n\nFinally, If you are a customer and have a password or account issue, please contact Cloudflare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.\n\n# Recommended Report Format\nPlease address the following bits of information in your report. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all information needed by Cloudflare.\n - Affected target, feature, or URL:\n - Description of problem:\n - Impact of the issue:\n - Steps to reproduce:\n - Proof of Concept:\n - Is knowledge of this issue currently public?\n\n\n#Eligibility and Disclosure\nIn order for your submission to be eligible:\n\n- You must agree to our Vulnerability Disclosure Policy.\n- You must be the first person to responsibly disclose an unknown issue. \n\nAll legitimate reports will be reviewed and assessed by Cloudflare's security team to determine if it is eligible. \n\n#Rewards\nFor each eligible vulnerability report, the reporter will receive:\n\n- Recognition on our Hall of Fame.\n- A limited edition Cloudflare bug hunter t-shirt. Cloudflare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.\n- 12 months of Cloudflare's Pro or 1 month of Business service on us. \n\nMonetary compensation is not currently offered under this program.\n\n#Guidelines for testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare bugbounty program.\n\n- Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.  \n- Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n- Do not knowingly post, transmit, upload, link to, or send any malware.\n- Do not attack Cloudflare customers, partners or suppliers.\n\nAdditionally, the following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.\n\n- Social engineering of CloudFlare employees, contractors, vendors, or service providers.\n- Physical attacks against Cloudflare employees, offices, and data centers.\n- Any vulnerability obtained through the compromise of a Cloudflare customer or employee accounts.  If you need to test a vulnerability, please create a free account.\n- Being an individual on, or residing in any country on, any U.S. sanctions lists.\n\n#Privacy Policy, Restrictions and Taxes\nCloudflare's privacy policy can be found here: https://www.cloudflare.com/security-policy/\nCloudflare's transparency report can be found here: https://www.cloudflare.com/transparency/\n\nAs mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-22T15:30:56.022Z"},{"id":3550902,"new_policy":"#CloudFlare Vulnerability Disclosure Policy\nWe take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to CloudFlare and to recognize you for your effort to make the Internet a better place. \n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow CloudFlare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\nSubmitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a \"proof of concept\" that allows us to reproduce the issue. \n\nVery low quality reports such as those which only contain automated output will be rejected.\n\n**DO NOT** submit the following as they will also be rejected:\n- Missing Best Practice, Configuration or Policy Suggestions\n- Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n- Any domains other than *.cloudflare.com\n- Logout Cross Site Request Forgery\n- Lack of Secure or HTTP only flag on non-sensitive cookies\n- Email configuration issues without a PoC to demonstrate a specific flaw\n\n#Scope\nAny web properties owned by Cloudflare are in scope for the program.\n\n- *.cloudflare.com\n\nCustomers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.\n\n**Customers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.**\n\nFinally, If you are a customer and have a password or account issue, please contact CloudFlare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.\n\n# Recommended Report Format\nPlease address the following bits of information in your report. Reports that are low quality and unclear will be closed. This recommended format will guarantee that your report is in a readable format and contains all information needed by Cloudflare.\n - Affected target, feature, or URL:\n - Description of problem:\n - Impact of the issue:\n - Steps to reproduce:\n - Proof of Concept:\n - Is knowledge of this issue currently public?\n\n\n#Eligibility and Disclosure\nIn order for your submission to be eligible:\n\n- You must agree to our Vulnerability Disclosure Policy.\n- You must be the first person to responsibly disclose an unknown issue. \n\nAll legitimate reports will be reviewed and assessed by CloudFlare's security team to determine if it is eligible. \n\n#Rewards\nFor each eligible vulnerability report, the reporter will receive:\n\n- Recognition on our Hall of Fame.\n- A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.\n- 12 months of CloudFlare's Pro or 1 month of Business service on us. \n\nMonetary compensation is not currently offered under this program.\n\n#Guidelines for testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare bugbounty program.\n\n- Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.  \n- Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n- Do not knowingly post, transmit, upload, link to, or send any malware.\n- Do not attack Cloudflare customers, partners or suppliers.\n\nAdditionally, the following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.\n\n- Social engineering of CloudFlare employees, contractors, vendors, or service providers.\n- Physical attacks against CloudFlare employees, offices, and data centers.\n- Any vulnerability obtained through the compromise of a CloudFlare customer or employee accounts.  If you need to test a vulnerability, please create a free account.\n- Being an individual on, or residing in any country on, any U.S. sanctions lists.\n\n#Privacy Policy, Restrictions and Taxes\nCloudflare's privacy policy can be found here: https://www.cloudflare.com/security-policy/\nCloudflare's transparency report can be found here: https://www.cloudflare.com/transparency/\n\nAs mentioned in our Privacy and Security Policy, CloudFlare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive CloudFlare service rewards. We will find another way to recognize your effort.\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-07T18:29:02.243Z"},{"id":3549891,"new_policy":"#CloudFlare Vulnerability Disclosure Policy\nWe take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to CloudFlare and to recognize you for your effort to make the Internet a better place. \n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow CloudFlare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\nSubmitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a \"proof of concept\" that allows us to reproduce the issue. \n\nVery low quality reports such as those which only contain automated output will be rejected.\n\n**DO NOT** submit the following as they will also be rejected:\n- Missing Best Practice, Configuration or Policy Suggestions\n- Output from Automated Scanners without a PoC to demonstrate a specific vulnerability\n- Any domains other than *.cloudflare.com\n- Logout Cross Site Request Forgery\n- Lack of Secure or HTTP only flag on non-sensitive cookies\n- Email configuration issues without a PoC to demonstrate a specific flaw\n\n#Scope\nAny web properties owned by Cloudflare are in scope for the program.\n\n- *.cloudflare.com\n\nCustomers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.\n\nFinally, If you are a customer and have a password or account issue, please contact CloudFlare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.\n\n#Eligibility and Disclosure\nIn order for your submission to be eligible:\n\n- You must agree to our Vulnerability Disclosure Policy.\n- You must be the first person to responsibly disclose an unknown issue. \n\nAll legitimate reports will be reviewed and assessed by CloudFlare's security team to determine if it is eligible. \n\n#Rewards\nFor each eligible vulnerability report, the reporter will receive:\n\n- Recognition on our Hall of Fame.\n- A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.\n- 12 months of CloudFlare's Pro or 1 month of Business service on us. \n\nMonetary compensation is not currently offered under this program.\n\n#Guidelines for testing\nPlease be considerate when testing our infrastructure. Failure to follow these guidelines will lead to disqualification from the Cloudflare bugbounty program.\n\n- Make sure that scanners have a narrow scope set that is limited to authorized Cloudflare IPs only. Aggressive, overly broad scans or those which include Cloudflare customer IPs without permission will be considered invalid.  \n- Do not not send unsolicited bulk messages (spam) or unauthorized messages.\n- Do not knowingly post, transmit, upload, link to, or send any malware.\n- Do not attack Cloudflare customers, partners or suppliers.\n\nAdditionally, the following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.\n\n- Social engineering of CloudFlare employees, contractors, vendors, or service providers.\n- Physical attacks against CloudFlare employees, offices, and data centers.\n- Any vulnerability obtained through the compromise of a CloudFlare customer or employee accounts.  If you need to test a vulnerability, please create a free account.\n- Being an individual on, or residing in any country on, any U.S. sanctions lists.\n\n#Privacy Policy, Restrictions and Taxes\nCloudflare's privacy policy can be found here: https://www.cloudflare.com/security-policy/\nCloudflare's transparency report can be found here: https://www.cloudflare.com/transparency/\n\nAs mentioned in our Privacy and Security Policy, CloudFlare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive CloudFlare service rewards. We will find another way to recognize your effort.\nThis program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.\nThe decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-25T02:26:25.640Z"},{"id":3541043,"new_policy":"#CloudFlare Vulnerability Disclosure Policy\nWe take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to CloudFlare and to recognize you for your effort to make the Internet a better place. \n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow CloudFlare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\nSubmitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a \"proof of concept\" that allows us to reproduce the issue.\n\n#Scope\nAny web properties owned by Cloudflare are in scope for the program.\n\n- *.cloudflare.com\n\nCustomers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.\n\nSubmissions that are specifically detailing a \"best practice\" are out of scope unless they are exploitable in mass. \n\nExample 1: User enumeration through error messages. User enumeration is not an issue when it is possible to enumerate one user at a time with many failures, but a large issue when it is possible to enumerating users in a highly accurate way.\n\nExample 2: Missing SPF records or other email misconfiguration is not a reportable issue unless you can demonstrate that this missing record or misconfiguration allows you to successfully do something with significant impact.\n\nFinally, If you are a customer and have a password or account issue, please contact CloudFlare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.\n\n#Eligibility and Disclosure\nIn order for your submission to be eligible:\n\n- You must agree to our Vulnerability Disclosure Policy.\n- You must be the first person to responsibly disclose an unknown issue. \n\nAll legitimate reports will be reviewed and assessed by CloudFlare's security team to determine if it is eligible. \n\nAs mentioned in our Privacy and Security Policy, CloudFlare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive CloudFlare service rewards. We will find another way to recognize your effort.\n\n#Rewards\nFor each eligible vulnerability report, the reporter will receive:\n\n- Recognition on our Hall of Fame.\n- A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.\n- 12 months of CloudFlare's Pro or 1 month of Business service on us. \n\nMonetary compensation is not currently offered under this program.\n\n#Exclusions\nThe following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.\n\n- Physical attacks against CloudFlare employees, offices, and data centers.\n- Social engineering of CloudFlare employees, contractors, vendors, or service providers.\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.\n- Any vulnerability obtained through the compromise of a CloudFlare customer or employee accounts.  If you need to test a vulnerability, please create a free account.\n- Being an individual on, or residing in any country on, any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-31T17:21:59.051Z"},{"id":3541042,"new_policy":"#CloudFlare Vulnerability Disclosure Policy\nWe take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to CloudFlare and to recognize you for your effort to make the Internet a better place. \n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow CloudFlare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\nSubmitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a \"proof of concept\" that allows us to reproduce the issue.\n\n#Scope\nAny web properties owned by Cloudflare are in scope for the program.\n\n- *.cloudflare.com\n\nCustomers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.\n\nSubmissions that are specifically detailing a \"best practice\" are out of scope unless they are exploitable in mass. \n\nExample 1: User enumeration through error messages. User enumeration is not an issue when it is possible to enumerate one user at a time with many failures, but a large issue when it is possible to enumerating users in a highly accurate way.\n\nExample 2: Missing SPF records or other email misconfiguration is not a reportable issue unless you can demonstrate that this missing record or misconfiguration allows you to successfully do something with significannt impact.\n\nFinally, If you are a customer and have a password or account issue, please contact CloudFlare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.\n\n#Eligibility and Disclosure\nIn order for your submission to be eligible:\n\n- You must agree to our Vulnerability Disclosure Policy.\n- You must be the first person to responsibly disclose an unknown issue. \n\nAll legitimate reports will be reviewed and assessed by CloudFlare's security team to determine if it is eligible. \n\nAs mentioned in our Privacy and Security Policy, CloudFlare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive CloudFlare service rewards. We will find another way to recognize your effort.\n\n#Rewards\nFor each eligible vulnerability report, the reporter will receive:\n\n- Recognition on our Hall of Fame.\n- A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.\n- 12 months of CloudFlare's Pro or 1 month of Business service on us. \n\nMonetary compensation is not currently offered under this program.\n\n#Exclusions\nThe following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.\n\n- Physical attacks against CloudFlare employees, offices, and data centers.\n- Social engineering of CloudFlare employees, contractors, vendors, or service providers.\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.\n- Any vulnerability obtained through the compromise of a CloudFlare customer or employee accounts.  If you need to test a vulnerability, please create a free account.\n- Being an individual on, or residing in any country on, any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-31T17:21:44.427Z"},{"id":3541041,"new_policy":"#CloudFlare Vulnerability Disclosure Policy\nWe take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to CloudFlare and to recognize you for your effort to make the Internet a better place. \n\nIf you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow CloudFlare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\nSubmitting high quality reports is highly encouraged. A high quality report is one that explains the vulnerability in detail, identifies its impact and most importantly which includes steps or a \"proof of concept\" that allows us to reproduce the issue.\n\n#Scope\nAny web properties owned by Cloudflare are in scope for the program.\n\n- *.cloudflare.com\n\nCustomers of Cloudflare, or non Cloudflare sites behind our infrastructure are out of scope.\n\nSubmissions that are specifically detailing a \"best practice\" are out of scope unless they are exploitable in mass. \n\nExample 1: user enumeration through error messages. User enumeration is not an issue when it is possible to enumerate one user at a time with many failures, but a large issue when it is possible to enumerating users in a highly accurate way.\n\nExample 2: missing SPF records or other email misconfiguration is not an issue unless you can demonstrate that this missing record or misconfiguration allows you to successfully do something with significannt impact.\n\nFinally, If you are a customer and have a password or account issue, please contact CloudFlare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.\n\n#Eligibility and Disclosure\nIn order for your submission to be eligible:\n\n- You must agree to our Vulnerability Disclosure Policy.\n- You must be the first person to responsibly disclose an unknown issue. \n\nAll legitimate reports will be reviewed and assessed by CloudFlare's security team to determine if it is eligible. \n\nAs mentioned in our Privacy and Security Policy, CloudFlare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive CloudFlare service rewards. We will find another way to recognize your effort.\n\n#Rewards\nFor each eligible vulnerability report, the reporter will receive:\n\n- Recognition on our Hall of Fame.\n- A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.\n- 12 months of CloudFlare's Pro or 1 month of Business service on us. \n\nMonetary compensation is not currently offered under this program.\n\n#Exclusions\nThe following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.\n\n- Physical attacks against CloudFlare employees, offices, and data centers.\n- Social engineering of CloudFlare employees, contractors, vendors, or service providers.\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.\n- Any vulnerability obtained through the compromise of a CloudFlare customer or employee accounts.  If you need to test a vulnerability, please create a free account.\n- Being an individual on, or residing in any country on, any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-31T17:20:47.133Z"},{"id":3307549,"new_policy":"#CloudFlare Vulnerability Disclosure Policy\nWe take security, trust, and transparency seriously. CloudFlare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to CloudFlare and to recognize you for your effort to make the Internet a better place. This policy provides our guidelines for reporting vulnerabilities to CloudFlare.\n\nIf you believe you have found a security vulnerability that could impact CloudFlare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow CloudFlare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\nSubmitting high quality reports is highly encouraged. Submitting low quality reports for low effort \n\n#Scope\nAny web properties owned by CloudFlare are in scope for the program are out of scope unless Including:\n\n- *.cloudflare.com\n\nSubmissions that are specifically detailing a \"best practice\" are out of scope unless they are exploitable in mass. Example: user enumeration through error messages. User enumeration is not an issue when it is possible to enumerate one user at a time with many failures, but a large issue when it is possible to enumerating users in a highly accurate way.\n\nVulnerabilities for StopTheHacker should be reported at https://hackerone.com/stopthehacker.\n\nCloudFlare customer sites are out of scope for our Vulnerability Disclosure program.\n\nIf you are a customer and have a password or account issue, please contact CloudFlare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.\n\n#Eligibility and Disclosure\nIn order for your submission to be eligible:\n\n- You must agree to our Vulnerability Disclosure Policy.\n- You must be the first person to responsibly disclose an unknown issue. \n\nAll legitimate reports will be reviewed and assessed by CloudFlare's security team to determine if it is eligible. \n\nAs mentioned in our Privacy and Security Policy, CloudFlare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive CloudFlare service rewards. We will find another way to recognize your effort.\n\n#Rewards\nFor each eligible vulnerability report, the reporter will receive:\n\n- Recognition on our Hall of Fame.\n- A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.\n- 12 months of CloudFlare's Pro or 1 month of Business service on us. \n\nMonetary compensation is not offered under the program.\n\n#Exclusions\nThe following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.\n\n- Physical attacks against CloudFlare employees, offices, and data centers.\n- Social engineering of CloudFlare employees, contractors, vendors, or service providers.\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.\n- Any vulnerability obtained through the compromise of a CloudFlare customer or employee accounts.  If you need to test a vulnerability, please create a free account.\n- Being an individual on, or residing in any country on, any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-08T18:04:13.106Z"},{"id":1404593,"new_policy":"#CloudFlare Vulnerability Disclosure Policy\nWe take security, trust, and transparency seriously. CloudFlare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to CloudFlare and to recognize you for your effort to make the Internet a better place. This policy provides our guidelines for reporting vulnerabilities to CloudFlare.\n\nIf you believe you have found a security vulnerability that could impact CloudFlare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow CloudFlare's Vulnerability Disclosure Policy and HackerOne's Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.\n\n#Scope\nAny web properties owned by CloudFlare are in scope for the program. Including:\n\n- *.cloudflare.com\n\nVulnerabilities for StopTheHacker should be reported at https://hackerone.com/stopthehacker.\n\nCloudFlare customer sites are out of scope for our Vulnerability Disclosure program.\n\nIf you are a customer and have a password or account issue, please contact CloudFlare support. For abuse issues or law enforcement inquiries, please review our Abuse policy.\n\n#Eligibility and Disclosure\nIn order for your submission to be eligible:\n\n- You must agree to our Vulnerability Disclosure Policy.\n- You must be the first person to responsibly disclose an unknown issue. \n\nAll legitimate reports will be reviewed and assessed by CloudFlare's security team to determine if it is eligible. \n\nAs mentioned in our Privacy and Security Policy, CloudFlare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive CloudFlare service rewards. We will find another way to recognize your effort.\n\n#Rewards\nFor each eligible vulnerability report, the reporter will receive:\n\n- Recognition on our Hall of Fame.\n- A limited edition CloudFlare bug hunter t-shirt. CloudFlare employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.\n- 12 months of CloudFlare's Pro or 1 month of Business service on us. \n\nMonetary compensation is not offered under the program.\n\n#Exclusions\nThe following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.\n\n- Physical attacks against CloudFlare employees, offices, and data centers.\n- Social engineering of CloudFlare employees, contractors, vendors, or service providers.\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.\n- Any vulnerability obtained through the compromise of a CloudFlare customer or employee accounts.  If you need to test a vulnerability, please create a free account.\n- Being an individual on, or residing in any country on, any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-04-23T09:14:58.632Z"}]