• Points – $4,000 per vulnerability
  • Up to $7,000 maximum reward
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 161
  • Validation within 5 days 75% of submissions are accepted or rejected within 5 days
  • Average payout $245 within the last 3 months

Latest hall of famers

Recently joined this program

1679 total


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Cloudinary, a SaaS/API provider that streamlines a website's entire image management pipeline, is the market leader in providing a comprehensive cloud-based image and video management platform.

Using Cloudinary you can easily move all your website’s images and other assets to the cloud. Automatically perform smart image resizing, cropping, merging, overlay, watermark, apply effects, rotations and perform format conversions. All this without installing any complex software. Simply put, if you have images in your web or mobile app, let Cloudinary manage them for you.

Cloudinary offers comprehensive APIs and administration capabilities and is easy to integrate with any web application. To simplify integration further we also have client libraries for Ruby on Rails, Python/Django, PHP, .NET, Node.js and more. In addition, alternative integration methods allow non-developers, bloggers and website administrators to enjoy Cloudinary with nearly zero code changes.

We truly believe that this program plays a key role in protecting our customers and their data. We appreciate all security submissions and strive to respond in an expedient manner.

General Guidelines

  • Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will be automatically closed as “Not Applicable”.
  • Verify your submission details, steps to reproduce and working proof of concept.
  • Collect only the information necessary to demonstrate the vulnerability. Do not conduct any escalation processes. Please report it “as is” and we will reward you with an appropriate bounty taking into full consideration the severity of what could be done.
  • When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.

Reward Guidelines

We base all payouts on impact and will reward accordingly. Please emphasize the impact as part of your submission.

We are particularly interested and will consider extraordinary submissions for:

  • Major exposures around customer data leak
  • Issues that result in full compromise of a system (e.g, RCE, obtain a shell back from our network)
  • Business logic bypasses resulting in significant impact
  • Major operational failure (excluding Denial of Service related submissions)

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.