├── writeups
    ├── CVE
    │   └── .gitkeep
    └── hackerone
    │   └── .gitkeep
├── test
    └── test1.py
├── CHANGELOG.md
├── .github
    └── workflows
    │   └── semgrep.yml
├── CONTRIBUTING.md
├── SECURITY.txt
└── README.md


/writeups/CVE/.gitkeep:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/writeups/hackerone/.gitkeep:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/test/test1.py:
--------------------------------------------------------------------------------
1 | print("this is testing")


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | # Changelog
 2 | 
 3 | All notable changes to this project will be documented in this file.
 4 | 
 5 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 6 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 7 | 
 8 | ## [1.0.0] - 2021-01-19
 9 | 
10 | ### Added
11 | 
12 | - Repo directory skeleton is defined.
13 | - First pass on README, CONTRIBUTING, SECURITY.txt supporting docs.
14 | 


--------------------------------------------------------------------------------
/.github/workflows/semgrep.yml:
--------------------------------------------------------------------------------
 1 | name: Reusable workflow with Semgrep
 2 | 
 3 | on:
 4 |  workflow_call:
 5 | 
 6 | permissions:
 7 |  contents: read
 8 |    
 9 | jobs:
10 |   semgrep:
11 |     name: Semgrep Scan
12 |     runs-on: ubuntu-latest
13 | 
14 |     container:
15 |       image: semgrep/semgrep
16 |       
17 |     if: (github.actor != 'dependabot[bot]')
18 | 
19 |     steps:
20 |       - uses: actions/checkout@v4
21 |       - run: semgrep ci
22 |         env:
23 |           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
24 |           SEMGREP_URL: https://cloudflare.semgrep.dev
25 |           SEMGREP_APP_URL: https://cloudflare.semgrep.dev
26 |           SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
27 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contribution guide
 2 | 
 3 | ## Adding a writeup to this repo
 4 | 
 5 | If you have worked on a CVE with our team or have gotten approval in your Hackerone
 6 | report to publicly disclose a vulnerability:
 7 | 
 8 | 1. Fork this repo.
 9 | 2. Draft a writeup in a branch titled after the vulnerability.
10 | 3. Submit a PR to this repo.
11 | 
12 | ## Bumping the CHANGELOG
13 | 
14 | Any change to the repo including advisories of any kind warrant a bump to the
15 | CHANGELOG.
16 | 
17 | Follow [https://keepachangelog.com/en/1.0.0/] to the best of your ability. New
18 | writeups and github security advisories are minor releases while changes to the repo process are major. Typos and content revisions are considered patch releases.
19 | 


--------------------------------------------------------------------------------
/SECURITY.txt:
--------------------------------------------------------------------------------
 1 | -----BEGIN PGP SIGNED MESSAGE-----
 2 | Hash: SHA256
 3 | 
 4 | Contact: https://hackerone.com/cloudflare
 5 | 
 6 | # If you'd like to encrypt your message, please do so within the the body of the message.
 7 | # Our email system doesn't handle PGP-MIME well.
 8 | Contact: mailto:security@cloudflare.com
 9 | 
10 | # All abuse reports should be submitted to our Trust & Safety team through our dedicated page.
11 | Contact: https://www.cloudflare.com/abuse/
12 | 
13 | Preferred-Languages: en
14 | 
15 | Encryption: https://www.cloudflare.com/gpg/security-at-cloudflare-pubkey-06A67236.txt
16 | Canonical: https://www.cloudflare.com/.well-known/security.txt
17 | 
18 | Policy: https://www.cloudflare.com/disclosure
19 | 
20 | # Search for Security :)
21 | Hiring: https://www.cloudflare.com/careers/jobs/
22 | 
23 | Expires: Sat, 20 Mar 2021 13:24:05 -0700
24 | -----BEGIN PGP SIGNATURE-----
25 | 
26 | iQJMBAEBCAA2FiEEDnvvEuWaqyVBavSjIi/eggamcjYFAl51JmUYHHNlY3VyaXR5
27 | QGNsb3VkZmxhcmUuY29tAAoJECIv3oIGpnI2RFcP/iT8SQ+QQKYIcVhmA0Ro06FA
28 | 6dSMr8EPX/aMJ2AfOB+umhEDQeY+QnFd9PaBTPrHZeeoXcp6+DsukYWo+4qR697x
29 | Tif+p2IS87DHaR7QaA5x4H7yjV5d8cX7qJIYVkQUQ28jvQIK/q703Y/2iP9tCa+2
30 | vLA7VsU/H2kovFFnuZX1WGuVhmoqVPJ+q29yhNs7+SshZ59+l/Sfw9Cbbk8PvGfe
31 | FYdEL4Kkn+ZimePTulLKhLYgzout2IMVQ4p6ClrDDhOQtv4bYnaS01YduMHdKukD
32 | rDeWflQTRQltTBv35pGG/nnmRZ2ZJQBiNC1v1peKxTlRBMjoFsljeW2/9G5MpBuZ
33 | sO/Rw1ZS60m0ClPgBpg+fyRuDC8UimTPoy7khjdyOZYlk8VWl2DWtH5j/KXdorWY
34 | rWxn3mxZWUjyokDcXzQWL+2NRnYI/lNAEMsf8t7c+sgYTYSawaQGOP2m0ENrRf7j
35 | Xqw4SQtoaC49qEMgZDR0G2lYo3NSSrNiNrdQy208pE5Vv/qEqzfWdyGzVfXlEC4J
36 | x3Edl2x1PAsEpV2l+rE0v2Rer3oPdObOPXhjG+IBvmf15R/ZAttd5ZUsoUzNVuCe
37 | i1Ifh7GBtx1FUPjCQ55ijpa9Z+qelRXvIN0webhxNjufrhDyhZDcyg8BRq0N3pV6
38 | asvDZc1SKq9jVv9OsfUI
39 | =1a93
40 | -----END PGP SIGNATURE-----
41 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # 📣 Cloudflare Vulnerability/Advisory Disclosure Hub
 2 | 
 3 | This repo functions as the hub for "open sourced" closed source vulnerabilities/advisories
 4 | as well as educational writeups composed in collaboration with third parties on
 5 | discovered vulnerabilities.
 6 | 
 7 | ## Why?
 8 | 
 9 | Every CVE that is filed must contain at least one "public reference". [Section 8.3](https://cve.mitre.org/cve/cna/rules.html#section_8-3_cve_entry_reference_requirements)
10 | and [Section 8.1](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements)
11 | of the CVE Entry requirements outline what information that reference should contain.
12 | 
13 | Many organizations maintain a page on their website that lists CVEs that they
14 | have filed. Generally, very little useful information is provided on these pages
15 | outside of the required details. It can also be challenging to discover this page
16 | on the site itself or be notified if a new entry has been added. Through a github
17 | repo we believe we can address these issues (easily discoverable, swift process
18 | for new content, people can watch the repo for updates) while meeting the reference
19 | requirement.
20 | 
21 | Additionally, many third party researchers compose writeups for their personal
22 | blogs to share on resumes or on social media. This is a great thing for us to
23 | continue to support in terms of helping peer review posts that researchers
24 | choose to share with us before going public. We would additionally like to give
25 | them the optional opportunity to additionally publish on our platform for increased
26 | visibility. Our goal is that this advisories repo will now double as a easily
27 | discoverable learning resource and educational hub on past publicly disclosed
28 | Cloudflare vulnerabilities.
29 | 
30 | A writeup may follow the format of:
31 | 
32 | - What happened?
33 | - How it happened?
34 | - How it was fixed?
35 | 
36 | but can be adapted to the type of vulnerability. The style of these posts will
37 | be more casual and educational (code snippets, etc) than the published public
38 | blog post. The text from these writeups may make it into public blog posts for
39 | CVEs.
40 | 
41 | ## Advisory Process
42 | 
43 | This repo is owned by the Cloudflare Security Team who follow the below procedures.
44 | 
45 | ### Disclosing Vulnerabilities in Open Source Code
46 | 
47 | 1. Blog post is published on [blog.cloudflare.com](https://blog.cloudflare.com/)
48 |    satisfying the Section 8.1 requirement.
49 | 1. [Github security advisory](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) is published in the github repo itself.
50 | 1. (Optional) Collaborate on a writeup [in this repo](https://github.com/cloudflare/advisories/tree/main/writeups).
51 | 
52 | ### Disclosing Vulnerabilities in Closed Source Code
53 | 
54 | 1. Blog post is published on [blog.cloudflare.com](https://blog.cloudflare.com/)
55 |    satisfying the Section 8.1 requirement.
56 | 1. [Github security advisory](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) is published [in this repo](https://github.com/cloudflare/advisories/security/advisories).
57 | 1. (Optional) Collaborate on a writeup [in this repo](https://github.com/cloudflare/advisories/tree/main/writeups).
58 | 
59 | ## Feedback
60 | 
61 | ✉️ [security@cloudflare.com](mailto:security@cloudflare.com)
62 | 


--------------------------------------------------------------------------------