With millions of creators storing drafts & data on ByteDance servers, the attack surface is MASSIVE.
Drop links below. ⬇️
I’ve been fuzzing the CapCut web editor (capcut.com) and found what looks like a potential IDOR on project draft IDs. Before I go further, I want to make sure I'm following responsible disclosure. capcut bug bounty
I've found: 🔹 Auth bypass in the web editor 🔹 Insecure direct object references (IDOR) in project files 🔹 Rate-limiting gaps on the mobile API
If ByteDance is listening: A clear rewards framework for CapCut would attract top talent before attackers find the low-hanging fruit. 🍍 With millions of creators storing drafts & data
Has anyone seen a formal #BugBounty program?
Does CapCut Need a Public Bug Bounty Program? capcut bug bounty
🚨 🚨