• Points – $4,000 per vulnerability
  • Up to $7,000 maximum reward
  • Safe harbor

Please read the following updates in relation to OOS submissions!

There is some updated language in the brief regarding submissions that are out of scope. Please re-review the bounty brief in detail and adjust your testing, and all scanners accordingly to make sure you are only testing and submitting in-scope bugs. Here is the added language:

"If you have a concern about whether a potential submission is in-scope, please first validate that it is demonstrably owned by Cloudinary, and carefully read the "Out of Scope", and the "Targets" sections. If it is still unclear but you believe it should still be considered, please submit via the program ONLY (instead of alternate channels like email), and include a few sentences describing your judgement regarding scope. Submissions that demonstrate thoughtful consideration for scope but that we ultimately do not act on will receive a "Not Applicable" status, rather than "Out Of Scope" with negative points."

If you have any questions on the change in the scope, please reach out to