{"id":42751,"date":"2022-02-03T14:58:09","date_gmt":"2022-02-03T14:58:09","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=944edfd19ce7b99a2e5dbd69cf7ee14b"},"modified":"2022-02-03T14:58:09","modified_gmt":"2022-02-03T14:58:09","slug":"cloudflare-opens-3000-bug-bounty-program-to-the-public","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/cloudflare-opens-3000-bug-bounty-program-to-the-public\/","title":{"rendered":"Cloudflare opens $3,000 bug bounty program to the public"},"content":{"rendered":"<p><span class=\"field field-name-field-author field-type-node-reference field-label-hidden\"><br \/>\n      <span class=\"field-item even\"><a href=\"https:\/\/www.cloudpro.co.uk\/authors\/praharsha-anand\">Praharsha Anand<\/a><\/span><br \/>\n  <\/span><\/p>\n<div class=\"field field-name-field-published-date field-type-datetime field-label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item even\"><span class=\"date-display-single\">3 Feb, 2022<\/span><\/div>\n<\/p><\/div>\n<\/div>\n<p class=\"short-teaser\">\n<a href=\"https:\/\/www.cloudpro.co.uk\/\" title=\"\" class=\"combined-link\"><\/a><\/p>\n<div class=\"field field-name-body\">\n<p><span class=\"scayt-misspell-word\" data-scayt-word=\"Cloudflare\" data-wsc-lang=\"en_GB\" data-wsc-id=\"kz73ky839cb3cpnzy\">Cloudflare<\/span>, a provider of web infrastructure and security services, has announced the launch of its public bug bounty program.<\/p>\n<p>Bug hunters and security researchers can now report vulnerabilities found in <a href=\"https:\/\/www.itpro.co.uk\/search\/cloudlfare\" data-cke-saved-href=\"https:\/\/www.itpro.co.uk\/search\/cloudlfare\">Cloudflare<\/a> products as part of the company&#8217;s latest program, which is hosted on <span class=\"scayt-misspell-word\" data-scayt-word=\"HackerOne\" data-wsc-lang=\"en_GB\" data-wsc-id=\"kz73l186b7l7c5hyi\">HackerOne<\/span>.<\/p>\n<p><span data-cke-copybin-start=\"1\">\u200b<\/span><\/p>\n<p>A private bounty program was previously launched in 2018, following a vulnerability disclosure program in 2014. The company paid $211,512 in bounties during the lifetime of this program, with 292 out of the 430 reports receiving a reward.<\/p>\n<p>Rewards for Cloudflare&#8217;s latest program vary with the severity of the vulnerability. Each security flaw is assigned a severity rating based on the <a href=\"https:\/\/www.itpro.co.uk\/security\/exploits\/360411\/top-30-most-exploited-vulnerabilities-since-2020-revealed\">Common Vulnerability Scoring Standard (CVSS)<\/a> version 3.<\/p>\n<p>There is a $3,000 payment for a critical vulnerability report, while high, medium, and low vulnerabilities are worth $1,000, $500, and $250, respectively. However, rewards vary for secondary and other targets.<\/p>\n<p>As a way to make vulnerability research easier, Cloudflare also developed a sandbox called CumulusFire, which provides a standardized playground for researchers to test their exploits. The sandbox will also assist Cloudflare\u2019s security teams in reproducing <a href=\"https:\/\/www.itpro.co.uk\/security\/zero-day-exploit\/360447\/why-zero-day-exploits-are-surging-on-an-unprecedented-scale\">potential exploits for analysis<\/a>.<\/p>\n<p>\u201cCumulusFire has already helped us address the constant trickle of reports in which researchers would configure their origin server in an obviously insecure way, beyond default or expected settings, and then report that Cloudflare\u2019s WAF does not block an attack. By policy, we will now only consider WAF bypasses a vulnerability if it is reproducible on CumulusFire,\u201d explained Cloudflare.<\/p>\n<p>A good place to start is to refer to the documentation on Cloudflare&#8217;s developer and <a href=\"https:\/\/www.itpro.co.uk\/application-programming-interface-api\/33557\/the-api-economy-what-your-business-needs-to-know\">API<\/a> portals, the Learning Center, and its support forums.<\/p>\n<p>The firm also aims to add additional documentation, testing platforms, and a way for researchers to interact with its security teams to ensure submissions are valid.<\/p>\n<p><span data-cke-copybin-end=\"1\">\u200b<\/span> <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>      Praharsha Anand<\/p>\n<p>        3 Feb, 2022    <\/p>\n<p>      Cloudflare, a provider of web infrastructure and security services, has announced the launch of its public bug bounty program.<br \/>\nBug hunters and security researchers can now report vulnerabiliti&#8230;<\/p>\n","protected":false},"author":650,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-42751","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/650"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=42751"}],"version-history":[{"count":2,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42751\/revisions"}],"predecessor-version":[{"id":42757,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42751\/revisions\/42757"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=42751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=42751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=42751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}