BugHunters — Bug Bounty Platform
    Back to Programs
    Cloudflare

    Cloudflare

    Cloud/SaaS

    Global CDN and internet security company protecting and accelerating millions of websites with DDoS protection, WAF, and edge computing.

    https://cloudflare.com

    Max Reward

    $50,000

    Total Paid

    $3,400,000

    Resolved

    389

    Avg Response

    2 days

    In-Scope Assets

    dash.cloudflare.com

    Dashboard, zone management, and analytics

    Cloudflare API

    REST API for all Cloudflare services

    Workers

    Edge computing platform and KV storage

    Cloudflare Pages

    JAMstack deployment platform

    Out of Scope

    • Cloudflare Radar public data
    • Marketing and blog
    • Community forums

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    CF-001WAF bypass via chunked transfer encoding edge case
    Critical
    Open
    		$15,000–$50,0000
    CF-002Workers KV data leakage via timing side-channel
    High
    In Review
    		$5,000–$15,0001

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.