If you have discovered a vulnerability in Cloudflare or another serious security issue, please submit it to our bounty program hosted by HackerOne.
For password and login problems, if you think your account has been "stolen," or other issues with your Cloudflare account, please visit our support site.
Maintaining the security, privacy, and integrity of our products is a priority at Cloudflare. Therefore, Cloudflare appreciates the work of security researchers in order to improve our security posture. We are committed to creating a safe, transparent environment to report vulnerabilities.
If you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to report this right away. We will investigate all legitimate reports and fix the problem as soon as we can. We ask that you follow Cloudflare’s Vulnerability Disclosure Policy, HackerOne’s Disclosure Guidelines, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.
Services that Cloudflare provides or any Cloudflare product, including Cloudflare workers, are in scope. An exception is support.cloudflare.com which is hosted by Zendesk. Particular research focus areas can be found on the Cloudflare HackerOne profile as they are available.
The following conditions are out of scope for the Vulnerability Disclosure Program. Any of the activities below will result in disqualification from the program permanently.
In order for your submission to be eligible:
All legitimate reports will be reviewed and assessed by Cloudflare’s security team to determine if it is eligible.
As mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13.