: Partial compromise of sensitive user data or account takeover capabilities. Reward : Substantial financial compensation. Medium Severity
As of April 2026, does not have a public, standalone "Bug Bounty" feature within the app for general users to earn rewards for fixing common software glitches
: Total compromise of system infrastructure or massive data leaks. Reward : Highest financial payouts. High Severity capcut bug bounty fix
This paper presents a comprehensive analysis of a security vulnerability discovered in CapCut (a short-video editing mobile/web app), the impact and exploitability of the bug, and a step-by-step remediation plan suitable for a bug-bounty submission and for developers to implement. The vulnerability is treated generically as an insecure file-handling / arbitrary file upload leading to remote code execution (RCE) and/or unauthorized access — a common high-impact class for media/web apps. Replace specifics (endpoints, parameter names, PoC payloads) with your actual findings before submission.
If the server-side infrastructure attempts to download an asset from a user-supplied URL without isolation, an attacker can input internal IP addresses (e.g., http://169.254.169.254 or http://localhost ). This exposes cloud metadata services, internal databases, and private APIs. The Fix: : Partial compromise of sensitive user data or
Centered around local privilege escalation, insecure file handling, and memory corruption.
If you have searched for the term you likely fall into one of two categories: Reward : Highest financial payouts
Title: IDOR in project sharing endpoint allows viewing any user's project
: Export failures often stem from hardware acceleration issues or memory overload.
If you want to investigate a specific area of CapCut's security infrastructure, let me know:
All security bugs and vulnerabilities for CapCut are to be reported through the official ByteDance Security Response Center (ByteSRC) at security.bytedance.com/src/ . This is the only official channel for security researchers.
