ByteDance pays based on severity. Here is the typical payout range for CapCut-related bugs:
Q: What types of vulnerabilities are eligible for the CapCut bug bounty program? A: Researchers can submit reports on various types of vulnerabilities, such as authentication and authorization issues, data storage and encryption weaknesses, and injection attacks. capcut bug bounty program
| Severity | Example Bug | Estimated Bounty (USD) | | :--- | :--- | :--- | | | Remote Code Execution (RCE) on CapCut servers, SQL injection on user data, Mass account takeover. | $3,000 - $10,000+ | | High | Leaking user video drafts to other users, Bypassing content moderation filters, Stored XSS in comments/profiles. | $1,000 - $3,000 | | Medium | CSRF allowing asset theft, Information disclosure (non-sensitive), Rate-limiting bypass. | $300 - $1,000 | | Low | Reflected XSS with minimal impact, Path traversal on non-critical files. | $100 - $300 | ByteDance pays based on severity
If you have found a security flaw in CapCut—whether it’s a video rendering exploit, a privacy leak, or a account takeover vulnerability—you have two options. One will get you ignored; the other can get you paid. | Severity | Example Bug | Estimated Bounty