Cloudflare bounty system

im wondering why Cloudflare consider massive critical phishing campaign rated (9) that is being carried with in one of its main services as ineligible vulnerability and does not offer bounty for it ?

The only place to report bounties is HackerOne

1 Like

Have you tried reporting it anyway?

Is someone exploiting a vulnerability to execute this campaign? Or is this more of a ToS violation?

1 Like

using cloudflare to host a phishing script , and its not a simple script

This doesn’t sound like a vulnerability, and more simply a case of someone violating Cloudflare’s ToS / Abuse policies.

If you feel that a site is engaging in illegal or inappropriate activities, you can submit an abuse report at The Trust and Safety team will review the details and reply if appropriate. You can also report the site to your relevant local authorities. Reports cannot be filed on this forum directly.


its not just a single site , im talking about a massive campaign

The abuse form can be used for that too, and is the exactly where you should report things like this.

what about the bounty ?

You don’t get bounties for reporting abuse.

If you have found a legitimate security issue with Cloudflare’s products/systems outside of just an abuse report, you can review the HackerOne link @Erisa posted above.


but isn’t phishing considered a vulnerability ? CAPEC-98

I’m not sure you really understand what a vulnerability is. Cloudflare sits infront of an astronomical number of websites - they’re not going to pay out every single time someone decides to violate their TOS.

If you found a way to host a phishing page on explicitly, this might be a different story, but I would encourage you to research a little more about the difference between a vulnerability in a platform/service, vs just abuse of that platform or service.

Otherwise, a group of friends could just take turns hosting phishing sites on Cloudflare, reporting them, and making money - do you see how this doesn’t make sense?

Once again, you can report the abusive sites via Let’s not turn this into a beg bounty, please.


im not turning it into a beg bounty ,i’ll be reporting the absue to cloudflare , thanks


This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.