While the "CapCut bug bounty fix" initiatives have successfully patched technical security vulnerabilities, the updated 2025 terms of service mean that the app's internal handling of content is now a primary privacy concern, where ByteDance may hold perpetual, irrevocable, worldwide licenses to user content. Conclusion
I recently participated in a bug bounty hunt on CapCut and wanted to share a quick retrospective on the fix.
An attacker could modify a project ID in an API request to view, alter, or delete another user's private video drafts or cloud assets. 2. Cross-Site Scripting (XSS) in Web Rendering capcut bug bounty fix
Provide clear feedback to the BSRC team confirming whether the remediation is successful or if a regression exists.
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. While the "CapCut bug bounty fix" initiatives have
ByteSRC has demonstrated a commitment to increasing rewards, noting in July 2024 that "in April 2023, the maximum bounty for a single TikTok vulnerability was 45,000 yuan; in February 2024, ByteSRC increased the single vulnerability reward for TikTok to 100,000 yuan; on July 18, ByteSRC once again raised the bounty for major TikTok vulnerabilities, offering 200,000 yuan for high-coefficient assets meeting major vulnerability criteria".
Contextually encode all user-generated content (subtitles, text effects) before rendering it in the DOM. Implement a strict Content Security Policy (CSP) header to restrict the execution of unauthorized inline scripts and untrusted external resources. Fixing SSRF: URL Whitelisting and Network Isolation This link or copies made by others cannot be deleted
– ByteDance released a public thanks in their “Hall of Fame.”