Silicon Valley firm has paid out more than $200,000 since private program’s 2018 launch

Cloudflare bug bounty program goes public with $3k rewards on offer

Cloudflare has launched a public bug bounty program to succeed the invite-only program in place since 2018.

Critical bugs will command payouts of $3,000, high severity flaws can earn researchers up to $1,000, medium risk vulnerabilities will net them a potential $500, and low risk issues will attract $250 payouts.

Up and running since Tuesday (February 1), the new program, as with its private forerunner, is hosted by HackerOne and has all Cloudflare’s assets in scope.

Signal-to-noise ratio

Cloudflare, the Silicon Valley provider of content delivery network (CDN) and DDoS mitigation services, said it has intended to eventually open the program to the entire ethical hacker community ever since it launched a vulnerability disclosure program (VDP) with no financial rewards in 2014.

“To reach that goal we needed to learn how to best support the researchers and improve the signal-to-noise ratio of reports, while building our internal processes to track and remediate a stream of reported vulnerabilities with our engineering teams,” reads a blog post.

Program improvements have included providing more information about targets in order to reduce the hitherto resource-sapping number of invalid submissions.

RECOMMENDED Bug Bounty Radar // The latest bug bounty programs for February 2022

“Understanding where Cloudflare fits into the HTTP request/response pipeline can get very challenging with multiple products enabled,” explained Cloudflare. “As a result, most of the reports we received over those early years came from people who saw something that seemed atypical to them, but in our view was not actually a vulnerability in need of repair.”

Other improvements have included broadening scopes, and introducing a testing sandbox and ‘treasure maps’ to flag high risk areas.

These and other refinements have seen the signal-to-noise ratio leap from 13% to date for the VDP to 68% for the private bug bounty program, which has seen 292 of 430 total reports receiving a reward.

Some 419 hackers have participated in the private program to date, and total annual payouts have risen annually as more researchers have been brought on board. Total bounties paid out to date have reached more than $200,000.

Cloudflare says it intends to add further documentation and testing platforms over time, as well as improving interactions between bug hunters and security teams.

YOU MIGHT ALSO LIKE SnapFuzz: New fuzzing tool speeds up testing of network applications