[GH-ISSUE #66] Is vinext covered under Cloudflare's HackerOne bug bounty program? #18

New issue

Closed

opened 2026-05-06 12:36:31 +02:00 by BreizhHardware · 1 comment

BreizhHardware commented

2026-05-06 12:36:31 +02:00

Owner

Originally created by @0ni-x4 on GitHub (Feb 25, 2026).
Original GitHub issue: https://github.com/cloudflare/vinext/issues/66

Question

The SECURITY.md in this repo points to Cloudflare's HackerOne bug bounty program (https://hackerone.com/cloudflare) and states:

All Cloudflare products are in scope for reporting.

However, the README describes vinext as "experimental" and "an experiment in AI-driven software development," with the note:

Can I use this in production? You can, with caution. This is experimental software with known bugs.

Cloudflare's HackerOne program excludes:

Demo and Test Applications — Reports targeting demo, test, or proof-of-concept (PoC) are not in scope for bounty. These are not intended for production use and offer no performance, security, or reliability guarantees.

The question

Does vinext (the framework itself, not the deployed example apps) fall under Cloudflare's bug bounty scope, or would it be classified as a "demo/test/PoC application" and excluded?

If it is in scope, would valid security findings in the framework code (e.g., CSRF bypasses, SSRF in the proxy layer, cache poisoning in the KV handler) be eligible for bounty consideration?

Asking before filing anything on HackerOne to avoid wasting both sides' time. Thanks!

Originally created by @0ni-x4 on GitHub (Feb 25, 2026). Original GitHub issue: https://github.com/cloudflare/vinext/issues/66 ## Question The SECURITY.md in this repo points to Cloudflare's HackerOne bug bounty program (https://hackerone.com/cloudflare) and states: > All Cloudflare products are in scope for reporting. However, the README describes vinext as "experimental" and "an experiment in AI-driven software development," with the note: > Can I use this in production? You can, with caution. This is experimental software with known bugs. Cloudflare's HackerOne program excludes: > **Demo and Test Applications** — Reports targeting demo, test, or proof-of-concept (PoC) are not in scope for bounty. These are not intended for production use and offer no performance, security, or reliability guarantees. ## The question Does vinext (the framework itself, not the deployed example apps) fall under Cloudflare's bug bounty scope, or would it be classified as a "demo/test/PoC application" and excluded? If it is in scope, would valid security findings in the framework code (e.g., CSRF bypasses, SSRF in the proxy layer, cache poisoning in the KV handler) be eligible for bounty consideration? Asking before filing anything on HackerOne to avoid wasting both sides' time. Thanks!

BreizhHardware closed this issue

2026-05-06 12:36:31 +02:00

BreizhHardware commented

2026-05-06 12:36:32 +02:00

Author

Owner

@AlbertSPedersen commented on GitHub (Feb 25, 2026):

Hi @0ni-x4. This project is considered in-scope of our bug bounty program. If you can demonstrate a vulnerability that is realistically exploitable in a best practices production deployment of vinext, please report it to us via HackerOne (https://hackerone.com/cloudflare?type=team) so we can take a look.

@AlbertSPedersen commented on GitHub (Feb 25, 2026): Hi @0ni-x4. This project is considered in-scope of our bug bounty program. If you can demonstrate a vulnerability that is realistically exploitable in a best practices production deployment of vinext, please report it to us via HackerOne (https://hackerone.com/cloudflare?type=team) so we can take a look.

BreizhHardware referenced this issue

2026-05-06 12:38:46 +02:00

[PR #18] [CLOSED] fix: auto-exclude react-server packages from RSC optimizeDeps #247