Hello, Researcher!

We take security, privacy, and transparency seriously.

Cloudflare appreciates your effort to help us all build a better, more secure Internet.

Spotting Security & Privacy Issues

If you have discovered a vulnerability in Cloudflare or another serious security or privacy issue, please submit it to our bounty program hosted by HackerOne.

Your Cloudflare Account

For password and login problems, if you think your account has been "stolen," or other issues with your Cloudflare account, please visit our support site.

Cloudflare Vulnerability Disclosure Policy

Maintaining the security, privacy, and integrity of our products is a priority at Cloudflare. Therefore, Cloudflare appreciates the work of researchers in order to improve our security and/or privacy posture. We are committed to creating a safe, transparent environment to report vulnerabilities.

If you believe you have found a security or privacy vulnerability that could impact Cloudflare or our users, we encourage you to report this right away. We will investigate all legitimate reports and fix the problem as soon as we can. We ask that you follow Cloudflare’s Vulnerability Disclosure Policy, HackerOne’s Disclosure Guidelines, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.


Services that Cloudflare provides or any Cloudflare product, including Cloudflare workers, are in scope. An exception is support.cloudflare.com which is hosted by Zendesk. Particular research focus areas can be found on the Cloudflare HackerOne profile as they are available.

The following conditions are out of scope for the Vulnerability Disclosure Program. Any of the activities below will result in disqualification from the program permanently.

  • Customers of Cloudflare or non Cloudflare sites behind our infrastructure.
  • Any vulnerability obtained through the compromise of a Cloudflare customer or employee accounts.
  • Missing Best Practice, Configuration or Policy Suggestions.
  • Any Denial of Service (DoS) attack against Cloudflare and our products.
  • Physical attacks against Cloudflare employees, offices, and data centers.
  • Social engineering of Cloudflare employees, contractors, vendors, or service providers.
  • Knowingly posting, transmitting, uploading, linking to, or sending any malware.
  • Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.

Eligibility and Disclosure


  • You must agree to our Vulnerability Disclosure Policy.
  • You must be the first person to responsibly disclose an unknown issue.

Cloudflare pledges not to initiate legal action against researchers as long as they adhere to the guidelines outlined in our Vulnerability Disclosure Policy and the HackerOne Disclosure Guidelines. In order to protect our customers, Cloudflare requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.

As mentioned in our Privacy Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13.

This program is not open to any individual on, or residing in any country on, any U.S. sanctions lists.

The decision to pay a reward is entirely at our discretion. You must not violate any law. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time.

For abuse issues or law enforcement inquiries, please review our Abuse policy.

Submit a report