via Bugcrowd to ByteDance’s CapCut program.
ByteDance pays 20-50% more for reports that include a pull-request style fix because it saves their internal team hours of debugging.
On Android, ensure that deep link handlers do not implicitly trust data originating from Intent.ACTION_VIEW without validation. capcut bug bounty fix
If you see this message, don't panic. Try these steps in order to resolve the issue:
CapCut Bug Bounty Fix: A Guide for Developers and Security Researchers via Bugcrowd to ByteDance’s CapCut program
Bounties are awarded based on the severity of the bug, ranging from Low to Critical.
ByteDance manages its security vulnerabilities through organized crowdsourced security platforms and its own dedicated security center. The ByteDance Security Response Center (BSRC) If you see this message, don't panic
// Vulnerable: Loads any URL passed via the deep link intent Intent intent = getIntent(); Uri data = intent.getData(); String url = data.getQueryParameter("url"); myWebView.loadUrl(url); Use code with caution. The Fix: Strict Domain Whitelisting
Reporting a bug to (CapCut's parent company) requires a clear, professional report. I submitted my findings through their official portal. Severity Rating: [e.g., Low / Medium / High] Response Time: The team responded within [Number] days.
CapCut's web interface allows users to input text for subtitles, titles, and templates. If the application fails to properly sanitize this input before rendering it in the browser, stored or reflected XSS can occur.