Researchers are encouraged to find technical bugs like Remote Code Execution (RCE), Account Takeovers, or Cross-Site Scripting (XSS) within the CapCut ecosystem . Rewards: Payouts are based on severity: Low: ~$500 . Medium: $1,000 – $4,500 . High: $5,000 – $10,000 .
ByteDance confirms the vulnerability in a staging environment that mirrors CapCut’s production setup. They assign a severity rating (Low to Critical) based on CVSS scores. capcut bug bounty fix
ByteDance is actively hardening CapCut because it is now a critical piece of enterprise software for TikTok Shop sellers. Researchers are encouraged to find technical bugs like
Impact: Any authenticated user can view any other user’s project data. High: $5,000 – $10,000
A bug bounty program is a reward-based initiative that encourages users to report bugs, vulnerabilities, and other issues they discover in a software application. The primary goal of such programs is to identify and fix problems before they become major issues, ensuring a better user experience and improved security. CapCut's bug bounty program is designed to foster a community-driven approach to identifying and resolving bugs, allowing the company to provide a more stable and reliable app.
"I recently submitted a critical vulnerability regarding [mention vague category, e.g., an IDOR / Access Control issue] on the CapCut web application. The entire experience with the ByteDance security team was refreshingly professional.