Cloudflare


reports in last 90 days

24

disclosed resolved issues

6

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

High Private API key leakage due to lack of access control

Improper Access Control - Generic yox Time to triage: 0 Days and 0 hours


Time to close: 6 Days and 1 hours
Resolved

Medium DOM XSS on 1.1.1.1(one.one.one.one)

Cross-site Scripting (XSS) - DOM cujanovic Time to triage: 5 Days and 10 hours


Time to close: 7 Days and 21 hours
Resolved

Critical Remote file inclusion using "/cdn-cgi/pe/bag2?r[]="

Remote File Inclusion grampae Time to triage: 8 Days and 0 hours


Time to close: 96 Days and 20 hours
Resolved

High Private API key leakage due to lack of access control

Improper Access Control - Generic yox Time to triage: 0 Days and 0 hours


Time to close: 6 Days and 1 hours
Resolved

No rating Potential XSS vulnerability to HTML minification

Cross-site Scripting (XSS) - Generic filedescriptor Time to triage: 3 Days and 12 hours


Time to close: 293 Days and 5 hours
Resolved

Medium // (double slash) inside es6 template literals interpreted as an inline comment by the auto-minifier

Code Injection veggie Time to triage: 18 Days and 15 hours


Time to close: 24 Days and 2 hours
Resolved

Critical SSRF

Server-Side Request Forgery (SSRF) linkks Issue was not triaged


Time to close: 19 Days and 2 hours
Resolved

No rating Cloudflare does not sufficiently truncate credit card numbers in invoices

Missing Encryption of Sensitive Data webster Issue was not triaged


Time to close: 16 Days and 4 hours
Resolved

Medium Cloudflare based XSS for IE11

None supplied reactors08 Issue was not triaged


Time to close: 15 Days and 14 hours
Resolved

Low [http2.cloudflare.com] Open Redirect

Open Redirect bobrov Issue was not triaged


Time to close: 23 Days and 13 hours
Resolved

No rating Reflected XSS on partners.cloudflare.com

Cross-site Scripting (XSS) - Generic albinowax Issue was not triaged


Time to close: 117 Days and 23 hours
Resolved

No rating CSRF in Cloudflare login

Cross-Site Request Forgery (CSRF) melvin Time to triage: 4 Days and 1 hours


Time to close: 16 Days and 20 hours
Resolved

No rating Bug Report

None supplied thalaivarsubu Issue was not triaged


Time to close: 9 Days and 12 hours
Resolved

No rating Clickjacking : https://partners.cloudflare.com/

UI Redressing (Clickjacking) xsserboiii Time to triage: 17 Days and 1 hours


Time to close: 28 Days and 19 hours
Resolved

No rating Threat control information leak

Cross-Site Request Forgery (CSRF) bitquark Time to triage: 17 Days and 3 hours


Time to close: 366 Days and 5 hours
Resolved

No rating Apache mod_negotiation filename bruteforcing

Cryptographic Issues - Generic jpsecurityresearch Issue was not triaged


Time to close: 0 Days and 5 hours
Informative

No rating User can request for password reset link without giving his website, eventhough he have it

Violation of Secure Design Principles born2hack Issue was not triaged


Time to close: 1 Days and 0 hours
Informative

No rating User's data leak

None supplied sergeybelove Time to triage: 11 Days and 15 hours


Time to close: 68 Days and 21 hours
Resolved

No rating csrf on password change functionality

Cross-Site Request Forgery (CSRF) robincool03111 Issue was not triaged


Time to close: 23 Days and 19 hours
Resolved

No rating System Status Update CSRF

Cross-Site Request Forgery (CSRF) chandrakant Time to triage: 22 Days and 13 hours


Time to close: 2 Days and 4 hours
Resolved

No rating jplayer.swf Cross-site scripting

Cross-site Scripting (XSS) - Generic smiegles Time to triage: 0 Days and 2 hours


Time to close: 24 Days and 0 hours
Resolved

No rating http://cdnjs.cloudflare.com/ Cross-site scripting 2

Cross-site Scripting (XSS) - Generic smiegles Time to triage: 0 Days and 2 hours


Time to close: 24 Days and 0 hours
Resolved

No rating Password reset threshold not set

Violation of Secure Design Principles shahmeer-amir Issue was not triaged


Time to close: 1 Days and 4 hours
Informative

No rating Flash-based XSS in cdnjs.cloudflare.com subdomain

Cross-site Scripting (XSS) - Generic prakharprasad Time to triage: 0 Days and 7 hours


Time to close: 27 Days and 3 hours
Resolved

No rating Content spoofing /CSRF at https://www.cloudflare.com/ajax/modal-dialog.html

Violation of Secure Design Principles internetwache Time to triage: 25 Days and 2 hours


Time to close: 17 Days and 7 hours
Resolved