Vulnerability transparency: strengthening security through responsible disclosure

Cloudflare describes joining CISA’s Secure by Design pledge, details its CVE issuance and disclosure process (including timelines and coordination with SIRT and legal), and summarizes notable vulnerabilities it has disclosed—including a quiche QUIC memory exhaustion (CVE-2024-1765), a Cloudflare WordPress plugin information disclosure (CVE-2024-0212), plaintext DNS leakage in the WARP Windows client (CVE-2023-2754), a WARP privilege/symlink file-manipulation issue (CVE-2025-0651), and a TLS client-auth resumption issue tied to BoringSSL/NGINX (CVE-2025-23419)—emphasizing fixes, transparency, and ongoing commitment to security.