If you have discovered a vulnerability in Cloudflare or another serious security issue, please submit it to our bounty program hosted by HackerOne.
For password and login problems, if you think your account has been "stolen," or other issues with your Cloudflare account, please visit our support site.
Maintaining the security, privacy, and integrity of our products is a priority at Cloudflare. Therefore, Cloudflare appreciates the work of security researchers in order to improve our security posture. We are committed to creating a safe, transparent environment to report vulnerabilities.
If you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to report this right away. We will investigate all legitimate reports and fix the problem as soon as we can. We ask that you follow Cloudflare’s Vulnerability Disclosure Policy, HackerOne’s Disclosure Guidelines, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.
Services that Cloudflare provides or any Cloudflare product, including Cloudflare workers, are in scope. An exception is support.cloudflare.com which is hosted by Zendesk. Particular research focus areas can be found on the Cloudflare HackerOne profile as they are available.
The following conditions are out of scope for the Vulnerability Disclosure Program. Any of the activities below will result in disqualification from the program permanently.
Cloudflare pledges not to initiate legal action against researchers as long as they adhere to the guidelines outlined in our Vulnerability Disclosure Policy and the HackerOne Disclosure Guidelines. In order to protect our customers, Cloudflare requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.
As mentioned in our Privacy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13.
This program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.
The decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.
For abuse issues or law enforcement inquiries, please review our Abuse policy.Submit a report