Our response to Cloudflare's bug disclosure
When triggered, the bug led to request data intended for different websites to be mixed together. This meant that a page served by website A could include the contents of a request made to website B.
Because of how widely Cloudflare is used - some measurements put around 5% of the web behind Cloudflare - this is a true internet-scale problem, and warrants a quick response from everyone involved.
As users of Cloudflare's proxy service, we've taken the time necessary to properly assess the risk to our customers and we've done that in partnership with Cloudflare's support team. While the risk to GoCardless data is extremely low, we'd rather be clear with our customers about what's happened.