As the OpenSSL heartbleed saga unfolded over the last couple of weeks, one of the companies that was at the forefront of figuring out the scope and effects of the problem was CloudFlare. The company put up a challenge server, asking researchers to hit it with the heartbleed exploit to determine whether private SSL keys really could be leaked via the exploit. (Spoiler alert: they can.) And now, building on the back of that interaction with the research community, CloudFlare is launching a new vulnerability disclosure program in conjunction with the HackerOne bug-bounty platform.
CloudFlare is part of the newer wave of infrastructure and platform companies that are offering rewards to researchers who responsibly disclose vulnerabilities. Most of these organizations–such as Yahoo, Google, PayPal, Facebook and others–pay out monetary rewards to researchers who meet their conditions. CloudFlare isn’t giving researchers money, but rather a one-year professional subscription to the company’s service, recognition on its site and an exclusive t-shirt.
“We spent a lot of time considering the best way for us to manage a vulnerability reporting program, including evaluating several crowd-sourced solutions. We chose to partner with HackerOne to power this program because not only have they streamlined the disclosure process, but we also agree with their vulnerability disclosure philosophy. They have also partnered with Nginx, PHP, Yahoo, OpenSSL and a range of security-minded companies,” Jamie Tomasello of CloudFlare wrote in a post announcing the new program.
“Previously, we did not have a dedicated external reporting channel for vulnerabilities.
HackerOne, also referred to as the Internet Bug Bounty program, is essentially a platform for facilitating and tracking bug bounty programs and disclosed vulnerabilities. A number of the major vendors with such programs use HackerOne, and the system enables anyone to see when vulnerabilities have been reported and track their progress up through payment of a reward.
To qualify for CloudFlare’s reward program, researchers need to report a vulnerability in the company’s main site, cloudflare.com, or in its stopthehacker.com site. The company’s customers’ sites aren’t in scope for the program.