This is the write-up of a critical vulnerability I discovered in Cloudflare CASB that enabled me to view sensitive information about other customers’ Microsoft and GitHub organizations, including employee names/emails, links to SharePoint files, private repository names/descriptions and more.

Link to the report on HackerOne: https://hackerone.com/reports/1785260

Yup, 'Burp' refers to the free version of 'Burp Suite'. I don't use Burp Suite anymore though. Some months ago I started using mitmproxy (https://github.com/mitmproxy/mitmproxy) due to it's Python scripting API. I have never looked back since then.

This is also my goto.

I work with it to do reverse engineering of APIs for apps on Android icw Frida.

In this case the second $3000 bounty was due to a 2x promotion at the time. The guideline for a critical is $3000, but Cloudflare does occasionally award bonuses for severe vulnerabilities (e.g. https://hackerone.com/reports/1478633).

Here's the write-up of a simple but severe exploit I found in Cloudflare's email forwarding service.

That is a good write-up and a good find. Thankyou for publishing it and for the responsible disclosure timeline.

Over 7 months after it was fixed? Why not disclose immediately after?

Disclosing a vulnerability immediately after it is discovered has a few problems. One is a risk to the customers, as script kiddies will create git repos full of tools to automation exploitation of the vulnerability. Another risk is that people will jump to conclusions without a proper root cause analysis being performed that determines how this happened, what is required to prevent it from happening and if there may be more aspects to this vulnerability than was were originally thought to exist. Another reason to not disclose immediately would be that in most cases it will violate the agreement the penetration tester or security researcher has with the bug bounty program. Disclosing immediately would mean they do not get paid for their discovery. This payment for bugs concept provides an incentive for people to help a company fix their bugs that their own developers and QA teams may have overlooked.

I think the parent comment was asking why they didn't disclose immediately after it was fixed.

In that case I would have to defer to @albertpedersen

The bug was initially reported to Cloudflare's private bug bounty program since there was no public program at the time. Like it or not, the private program does not have the same disclosure policy as the public program does.

In early July I asked if the report could be disclosed, seeing as things had changed since the bug was originally reported. Cloudflare agreed and the report was then moved to the public program. As to why it was disclosed now rather than in February when the public program launched, that was my fault for not asking earlier.