Cloudflare launches a paid public bug bounty program

by | Feb 2, 2022 | News

Reading Time: 1 Minute

 

Cloudflare, an American company focused on web infrastructure and website security, has announced the launch of a new public bug bounty program.

 

“Today we are launching Cloudflare’s paid public bug bounty program,” said Rushil Shah, a Product Security Engineer at Cloudflare.

“We believe bug bounties are a vital part of every security team’s toolbox and have been working hard on improving and expanding our private bug bounty program over the last few years.”

The new public bug bounty program follows a vulnerability disclosure program without cash bounties created in 2014. Through this program, Cloudflare received 1,197 reports, only 13% of them valid because researchers were struggling to understand its infrastructure and products.

In 2018, Cloudflare launched a private bug bounty program focused on providing a better experience for researchers. By mid-January 2022, Cloudflare awarded $211,512 worth of bounties for in-scope vulnerabilities, going up from $4,500 paid in 2018 to $101,075 in 2021.

The company also released a testing sandbox named CumlusFire before releasing the new public bounty program, which provides bug hunters with a standardized playground to test exploits.

 
 

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

 
 

 

Cloudflare’s new bug bounty program

Starting today, bug hunters can report security vulnerabilities found in Cloudflare products through the company’s new public bug bounty program, hosted on the HackerOne platform.

Researchers can find more info on Cloudflare’s products using the company’s Developer documentationAPI documentation, the Learning Center, and materials found on Cloudflare’s support forums.

The breakdown of bounty awards for targets based on the issues’ CVSS3 severity rating can be found in the table below.

 

SeverityCritical (9.0 – 10.0)High (7.0 – 8.9)Medium (4.0 – 6.9)Low (0.1 – 3.9)
Primary Targets$3,000$1,000$500$250
Secondary Targets$2,700$750$350$200
Other$2,100$500$200$100

 

Depending on a vulnerability’s mitigating factors and Cloudflare’s business risk assessment, the reported issues might receive a lower severity rating.

 

 

 
 
 
 
 
 
 
 
 
 

 

 

“Just as we grew our private program, we will continue to evolve our public bug bounty program to provide the best experience for researchers,” Shah added.

“We aim to add more documentation, testing platforms and a way to interact with our security teams so that researchers can be confident that their submissions represent valid security issues.”

See Also: Recon Tool: WitnessMe

 

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

See Also: How ILOVEYOU worm became the first global computer virus pandemic

 

Source: bleepingcomputer.com

 

(Original Link)

 


 

merch

Share This