• Points – $1,500 per vulnerability
  • Up to $5,000 maximum reward
  • Safe harbor
  • Managed by Bugcrowd

Program stats

71 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

$1,100 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Cloudinary is a SaaS/API provider that streamlines a website's entire image management pipeline. Cloudinary strives to be the standard for online images acquisition, manipulation and delivery.

Using Cloudinary you can easily move all your website’s images and other assets to the cloud. Automatically perform smart image resizing, cropping, merging, overlay, watermark, apply effects, rotations and perform format conversions. All this without installing any complex software. Integrate Facebook, Twitter, Google+ and Gravatar profile image extraction in a snap, fetch images from any online resource in any dimension and style to match your website’s graphics requirements, and much more. Simply put, if you have images in your web or mobile app, let Cloudinary manage them for you.

Cloudinary offers comprehensive APIs and administration capabilities and is easy to integrate with any web application. To simplify integration further we also have client libraries for Ruby on Rails, Python/Django, PHP, .NET, Node.js and more. In addition, alternative integration methods allow non-developers, bloggers and website administrators to enjoy Cloudinary with nearly zero code changes.

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

We are particularly interested and will consider extraordinary submissions around:

  • Major exposures around customer data leak
  • Issues that result in full compromise of a system (RCE, etc.)
  • Business logic bypasses resulting in significant impact
  • Major operational failure

Reward range

Last updated

Technical severity Reward range
p1 Critical $500 - $1,500
p2 Severe $300 - $500
p3 Moderate Up to: $300
P4 are only eligible to receive kudos points. P5 submissions do not receive any rewards for this program.


In scope

Target name Type Website API API Website

Out of scope

Target name Type Website Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Cloudinary not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.


Please check out our full documentation for feature explanation, what's possible, and our API docs here:


You must use your @bugcrowdninja email address to set up your Cloudinary account. The main reason for doing so is that in case of need, our team will know you’re from Bugcrowd and have no malicious intentions.
For more info regarding @bugcrowdninja email addresses, see here.

Focus Areas

  • (admin and upload apis)
  • (delivery CDN)
  • (upload widget UI)


  • Do not test UI widgets posting feedback (“Tell us what you think” form) to
  • Cloudinary has built-in functionality to fetch remote URLs to read remote files into the system, via fetch URL (<remote url>), via the upload API's URL parameter ( and in other places in the API. This functionality as it's meant to be used will not be considered an SSRF vulnerability when allowing access to external servers, even though it might be used to anonymously scan other web servers for vulnerabilities or open ports other than common web ports. We will accept disclosures that show how this functionality is used to access internal networks or external services having significant security or DOS impact.
  • Support tickets (due to the load on our support teams, please DO NOT perform any testing on, or create any, support tickets)
  • Social engineering / phishing

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.