One of CloudFlare’s servers, which happens to be the relay for my site, has a ton of CVE’s, some of which date back to at least 2010. See https://www.shodan.io/host/18.104.22.168. What’s the best way to make them aware of this?
Since Cloudflare is a proxy for many sites, many of them could be insecure (remember that part of their business is to protect those sites), then any of those insecure sites behind any Cloudfront proxy IP, could result with server issues - which are on Cloudflare’s customers’ server, and not Cloudflare.
Of course Cloudflare could also have issues, but you can’t know which from the list really belongs to them (probably not many if at all…)
Most (if not all) of them refer to hopelessly outdated PHP versions, which are not Cloudflare related but refer directly to the hosts and sites behind Cloudflare.