CapCut (owned by ByteDance, the parent company of TikTok) has exploded in popularity. As of 2025, it is the go-to mobile and desktop video editor for creators. However, with massive scale comes massive complexity.
Vulnerability: The template import function does not sanitize ZIP traversal paths. Impact: Allows arbitrary file write to /data/data/com.lemon.lv/ . capcut bug bounty fix
| Rejection Reason | What it really means | Your Fix | | :--- | :--- | :--- | | | You reported a spammy overlay or a UI misalignment. That isn't a security risk. | Delete the report. Do not resubmit. | | "Not Reproducible" | You didn't provide step-by-step keystrokes. The engineer tried for 5 mins and gave up. | Re-record a PoC video with keystroke logger or mouse clicks visible . | | "Low Risk" | The bug requires physical access to the device. ByteDance only pays for remote exploits. | Aggregate 5 low-risk bugs into one "Defense in Depth" report. | | "Out of Scope" | You found a bug in a user's CapCut project file , not the app itself. | Move on. Malicious project files are considered "application data," not code. | Part 6: The future of CapCut bug bounties ByteDance is actively hardening CapCut because it is now a critical piece of enterprise software for TikTok Shop sellers. CapCut (owned by ByteDance, the parent company of