Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles Cloudflare Public Bug Bounty Program Statistics
29 total issues disclosed
$0 total paid publicly
Most disclosed (7 disclosures) — Cross-site Scripting (XSS) - Generic
Disclosed Reports
| Report Title | Vulnerability Type | Disclosed By | Severity | Disclosed on |
|---|---|---|---|---|
| DOM XSS on 1.1.1.1(one.one.one.one) | Cross-site Scripting (XSS) - DOM | cujanovic | Medium | 2018-10-17 |
| Remote file inclusion using "/cdn-cgi/pe/bag2?r[]=" | Remote File Inclusion | grampae | Critical | 2018-08-15 |
| Private API key leakage due to lack of access control | Improper Access Control - Generic | yox | High | 2018-08-08 |
| Potential XSS vulnerability to HTML minification | Cross-site Scripting (XSS) - Generic | filedescriptor | No rating | 2018-04-17 |
| // (double slash) inside es6 template literals interpreted as an inline comment by the auto-minifier | Code Injection | veggie | Medium | 2018-03-17 |
| SSRF | Server-Side Request Forgery (SSRF) | linkks | Critical | 2018-02-25 |
| Cloudflare does not sufficiently truncate credit card numbers in invoices | Missing Encryption of Sensitive Data | webster | No rating | 2018-01-12 |
| Cloudflare based XSS for IE11 | None supplied | reactors08 | Medium | 2017-05-04 |
| [http2.cloudflare.com] Open Redirect | Open Redirect | bobrov | Low | 2017-03-24 |
| Reflected XSS on partners.cloudflare.com | Cross-site Scripting (XSS) - Generic | albinowax | No rating | 2016-10-26 |
| CSRF in Cloudflare login | Cross-Site Request Forgery (CSRF) | melvin | No rating | 2016-10-07 |
| Bug Report | None supplied | thalaivarsubu | No rating | 2016-06-16 |
| Clickjacking : https://partners.cloudflare.com/ | UI Redressing (Clickjacking) | xsserboiii | No rating | 2016-03-06 |
| Threat control information leak | Cross-Site Request Forgery (CSRF) | bitquark | No rating | 2015-06-20 |
| User's data leak | None supplied | sergeybelove | No rating | 2014-09-28 |
| User can request for password reset link without giving his website, eventhough he have it | Violation of Secure Design Principles | born2hack | No rating | 2014-09-19 |
| Apache mod_negotiation filename bruteforcing | Cryptographic Issues - Generic | jpsecurityresearch | No rating | 2014-09-19 |
| System Status Update CSRF | Cross-Site Request Forgery (CSRF) | chandrakant | No rating | 2014-09-10 |
| csrf on password change functionality | Cross-Site Request Forgery (CSRF) | robincool03111 | No rating | 2014-09-07 |
| http://cdnjs.cloudflare.com/ Cross-site scripting 2 | Cross-site Scripting (XSS) - Generic | smiegles | No rating | 2014-08-08 |
| jplayer.swf Cross-site scripting | Cross-site Scripting (XSS) - Generic | smiegles | No rating | 2014-08-08 |
| Flash-based XSS in cdnjs.cloudflare.com subdomain | Cross-site Scripting (XSS) - Generic | prakharprasad | No rating | 2014-07-17 |
| CSRF and No password requirement in this URL Billing Info | Cross-site Scripting (XSS) - Generic | shahmeer-amir | No rating | 2014-07-08 |
| Content spoofing /CSRF at https://www.cloudflare.com/ajax/modal-dialog.html | Violation of Secure Design Principles | internetwache | No rating | 2014-07-08 |
| Password reset threshold not set | Violation of Secure Design Principles | shahmeer-amir | No rating | 2014-07-08 |
| Cookie missing the Secure flag | None supplied | 0xsaikiran | No rating | 2014-05-22 |
| XSS - http://js.cloudflare.com | Cross-site Scripting (XSS) - Generic | dekeeu | No rating | 2014-05-22 |
| Apache Multiviews are enabled | Denial of Service | shahmeer-amir | No rating | 2014-05-22 |
| Security issue with your "bag" script | None supplied | peterjaric | No rating | 2014-05-07 |