I’ve been fuzzing the CapCut web editor (capcut.com) and found what looks like a potential IDOR on project draft IDs. Before I go further, I want to make sure I'm following responsible disclosure.
With millions of creators storing drafts & data on ByteDance servers, the attack surface is MASSIVE.
We know the parent company (ByteDance) runs bounty programs for TikTok. But what about CapCut? capcut bug bounty
Has anyone seen a formal #BugBounty program?
I've found: 🔹 Auth bypass in the web editor 🔹 Insecure direct object references (IDOR) in project files 🔹 Rate-limiting gaps on the mobile API I’ve been fuzzing the CapCut web editor (capcut
Before I disclose: Is there a private HackerOne/third-party program, or are we going straight to VDP? 👀
🚨 🚨
#Cybersecurity #BugBounty #CapCut #ResponsibleDisclosure #AppSec