`cf_clearance` cookie scoped to parent of the issuing domain?

Hello from rainy, gloomy Liverpool! A stranger on an @gmail.com address emailed me a "vulnerability report" whilst asking for cash for reporting it—but I'm not convinced it has any merit as it's just how Cloudflare Turnstile is, right? Can anyone sanity-check this?
Issue detail
The following cookie was issued by the application and is scoped to a parent of the issuing domain:

cf_clearance

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Issue detail
The following cookie was issued by the application and is scoped to a parent of the issuing domain:

cf_clearance

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Thank you very much in advance, really appreciative of your time. :- )
4 Replies
Shadow Gaming
Shadow Gaming3w ago
cf_clearance Clearance Cookie stores the proof of challenge passed. It is used to no longer issue a challenge if present. It is required to reach an origin server.
Shadow Gaming
Shadow Gaming3w ago
Cloudflare Docs
Cloudflare Cookies | Cloudflare Fundamentals docs
Cloudflare uses various cookies to maximize network resources, manage traffic, and protect our customers’ sites from malicious traffic.
Shadow Gaming
Shadow Gaming3w ago
do a challenge from main domain wont get a challenge from sub domain
Hello, I’m Allie!
This sounds like a very low-effort email. I wouldn’t worry about it
Want results from more Discord servers?
Add your server