Finding a bug is only half the battle. To successfully secure a payout and help the engineering team implement a patch, follow these steps:
While a addresses vulnerabilities within the app, users must also practice good digital hygiene:
Tell me how you would like to proceed with your security research. Share public link
Only report bugs through the approved platform. Breaking these rules can get you banned from the program. How Users Can Stay Safe capcut bug bounty fix
When you go to the ByteDance page on HackerOne, CapCut isn't listed next to TikTok and Douyin. The Fix: CapCut is often listed under "ByteDance Default" or "Mobile Apps." You must tag your report explicitly with capcut or CapCut in the title. Recent scopes (2024-2025) include:
If a bug exists in how the app handles templates, assets, or third-party integrations, it could be leveraged to crash the app or gain elevated permissions.
If you have searched for the term you likely fall into one of two categories: Finding a bug is only half the battle
By reporting and patching these categories of bugs through the ByteSRC program, security researchers help protect CapCut's hundreds of millions of users from potential data leaks, device compromise, and account takeover.
Focused on local data storage, insecure intents, and binary protections.
: Never download premium or "cracked" versions of CapCut from unauthorized third-party websites, as they often contain malware or spyware. Breaking these rules can get you banned from the program
Explain exactly what an attacker could achieve (e.g., "Account Takeover" vs. "App Crash").
If you are a security researcher, you can report technical bugs (like data leaks or security flaws) through official ByteDance channels to receive rewards: TikTok | Bug Bounty Program on HackerOne
Reject any filenames containing .. or forbidden characters.
CapCut heavily uses custom URI schemes and deep links (e.g., capcut:// ) to open shared templates, effects, or user profiles directly inside the app.