Trust, transparency, and collaboration are values which we hold dear at CloudFlare. As a web security and performance company, we are always interested in how we can make our service and our infrastructure more secure. We also know how the power of the security researcher community can help us achieve results more quickly and more effectively than we could do on our own; witness results from our CloudFlare Heartbleed challenge. We appreciate the work that security researchers worldwide have done in helping us build a better Internet, and we want to make it even easier for them to collaborate with us. Today, we are announcing CloudFlare’s new vulnerability disclosure program.
The new vulnerability disclosure program, facilitated by HackerOne’s bug reporting platform, makes it easy to report a vulnerability you have discovered, track our progress in addressing it, and understand when it has been fixed. When we’ve fixed an eligible bug you have reported, we will recognize you publicly on our Hall of Fame page and reward you with a CloudFlare ‘Venator Errorum’ t-shirt.
Close-up of 'Venator Errorum' design on the limited edition t-shirt
This bug hunter T-shirt is a limited edition shirt and will only be available to the exclusive group of vulnerability reporters who submit an accepted bug. It is such an exclusive shirt that not even CloudFlare employees will be given one without an eligible vulnerability submission. In addition, we will also provide you with 12 months of Pro or 1 month of Business service for free if you have a domain you would like CloudFlare to make safer and faster.
We spent a lot of time considering the best way for us to manage a vulnerability reporting program, including evaluating several crowd-sourced solutions. We chose to partner with HackerOne to power this program because not only have they streamlined the disclosure process, but we also agree with their vulnerability disclosure philosophy. They have also partnered with Nginx, PHP, Yahoo, OpenSSL and a range of security-minded companies.
Previously, we did not have a dedicated external reporting channel for vulnerabilities. We realized having a formal program would improve responsiveness to vulnerability reporters and provide more transparency to the researcher community.
If you are a startup struggling with what is the best way to develop a vulnerability disclosure policy and program for your organization, feel free to reach out to us at firstname.lastname@example.org, and we will share our experiences and insight.