Reports in cloudflare public bug bounty program: S.No Title Bounty 1 Using special IPv4-mapped IPv6 addresses to bypass local IP ban $7500.0 2 HTTP Request Smuggling in Transform Rules using hexadecimal escape sequences in the concat() function $6000.0 3 Hijack all emails sent to any domain that uses Cloudflare Email Forwarding $6000.0 4 Cloudflare CASB Confused Deputy Problem $3300.0 5 HTTP request smuggling with Origin Rules using newlines in the host_header action parameter $3100.0 6 Take over subdomains of r2.dev using R2 custom domains $1125.0 7 Sign in with Apple works on existing accounts, bypasses 2FA $1000.0 8 Completely remove VPN profile from locked WARP iOS cient. $1000.0 9 I found another way to bypass Cloudflare Warp lock! $1000.0 10 Ability to bypass locked Cloudflare WARP on wifi networks. $1000.0 11 API docs expose an active token for the sample domain theburritobot.com $500.0 12 Bypassing Cache Deception Armor using .avif extension file $500.0 13 Lack of Packet Sanitation in Goflow Results in Multiple DoS Attack Vectors and Bugs $500.0 14 Bypass Cloudflare WARP lock on iOS. $500.0 15 Extraction of Pages build scripts, config values, tokens, etc. via symlinks $500.0 16 Privilege escalation to root in Pages build image v2 $350.0 17 Bypass R2 payment screen $350.0 18 Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts $250.0 19 Bypass two-factor authentication $250.0 20 cd=false (DNSSEC) not respected in DNS over HTTPS JSON requests $250.0 21 Misconfigured build on websites "abuse.cloudflare.com" $100.0 22 Basic XSS [WAF Bypasses] $50.0 23 Blind SSRF on platform.dash.cloudflare.com Due to Sentry misconfiguration $0.0 24 Enable 2Fa verification without verifying email $0.0 25 Signup with any Email and Enable 2-FA without verifying Email $0.0 26 Password Policy Restriction Bypass $0.0 27 Origin IP address disclosure through Pingora response header $0.0 28 Bypassing creation of API tokens without email verification $0.0 29 Session mismatch leading to potential account takeover (local access required) $0.0 30 Cloudflare is not properly deleting user's account $0.0 31 A malicious actor could rotate tokens of a victim, given that he knows the victim's token ID $0.0 32 💥💥Crash report -Cloudflare WARP doesn't verify text length in "Excluded Host" name input data💥💥 $0.0 33 Plaintext leakage of DNS requests in Windows 1.1.1.1 WARP client $0.0 34 Ability to bypass Admin override on Cloudflare WARP Android $0.0 35 2FA BYPASS $0.0 36 Permanent CASB Integration Takeover due to Improper Access Controls+Confused Deputy Problem $0.0 37 Accessing apps protected via ZT's Access when user account is deleted/disabled even after clearing user session/seat $0.0 38 YAML schema injection risk in Swagger UI via schema_url parameter at developers.cloudflare.com $0.0 39 Yet Another CASB Integration Takeover of Active Integrations $0.0 40 Arbitrary file read from Cloudflare Pages build environment $0.0