The Cloudflare Bug Bounty program and Cloudflare Pages

Cloudflare collaborated with Assetnote through their Public Bug Bounty program, discovering and patching vulnerabilities in Cloudflare Pages. The team re-architected the platform to use gVisor for further isolation of builds. They shared information about the research that could help others make their infrastructure more secure and encouraged participation in their bug bounty program. The post detailed six bugs discovered, including command injection vulnerabilities, API key disclosure, Bash path injection, Azure pipeline escape, and Kubernetes control plane secrets exposure. Cloudflare notified customers who might have been exposed to the vulnerabilities and thanked the security researchers for their collaboration.