Skip to main content
Capgo logo

Bug Bounty Program

Capgo is committed to security and transparency. All our code is open source, and we welcome security researchers to help us identify vulnerabilities in our codebase.

Open Source Code

Every repository in the Capgo organization is open source. You can review, audit, and contribute to our code.

GitHub Organization: github.com/Cap-go

Capgo Backend & Landing

Main Capgo repository including backend services and landing website

View Repository Report Security Issue

Capgo CLI

Command-line interface for managing Capgo deployments and live updates

View Repository Report Security Issue

Capacitor Updater Plugin

The core Capacitor plugin that handles over-the-air updates on mobile devices

View Repository Report Security Issue

Requirements for Valid Reports

To qualify for the Bug Bounty program, your report must meet ALL of the following requirements:

  • You must identify the exact file and line number in our GitHub repository where the vulnerability exists
  • Your report must be submitted through GitHub Security Advisory on the relevant repository
  • You must include a clear description of the vulnerability and its potential impact
  • You must provide reproducible steps to demonstrate the issue

Important: If you cannot provide the exact line of code in GitHub where the problem exists, your report will not be eligible for the Bug Bounty program. Reports must be submitted through GitHub Security Advisory only. Payments are handled via Algora.io; please create an account there so we can pay you directly on the platform.

Response Time and Respect

We are friendly and we do pay for valid reports, but we cannot work with people who do not respect our time. Please keep communication calm and follow this program.

  • We respond to security reports and breaches within 24-72 hours.
  • Do not spam us. More than three emails in a single day is considered spam and will be blocked.
  • We do not pay for reports that ignore these rules or are spam.
  • Only in-scope reports that follow this bug bounty program are accepted; anything else may be blocked.
  • Do not ask for status updates such as "have you checked?" or similar questions. Once we confirm we received your report, that is enough. After that, there is still significant work to do, and preparing a pull request can take several days.

Important: Payments are issued only after we have identified the issue, fixed it, opened a pull request, and you have verified after release that the fix works for you. This process typically takes 3-5 days after the issue is acknowledged. Please do not send messages like "to get paid"; payment happens only once the release is live and you've tested and validated the fix.

How to Report

  1. Navigate to the relevant repository on GitHub
  2. Click on the "Security" tab
  3. Click "Report a vulnerability" to create a new security advisory
  4. Include the exact file path and line number(s) where the vulnerability exists
  5. Provide detailed steps to reproduce the issue and explain the security impact

Out of Scope

  • Reports without exact code line references in GitHub
  • Reports not submitted through GitHub Security Advisory
  • Theoretical vulnerabilities without proof of concept
  • Issues in third-party dependencies or services (report these upstream, e.g. Supabase).
  • Social engineering or phishing attempts
  • Denial of service attacks

Supabase and Third-Party Services

If the issue is in Supabase and tied to a Supabase endpoint, report it to Supabase (not Capgo). We only accept Supabase-related reports if you can reproduce it and show the exact Supabase setting/config change that prevents it in a project configured like ours.

Examples

Not valid here

  • A Supabase platform bug or outage
  • A finding you cannot reproduce
  • A claim without the Supabase setting/config change that fixes it

Valid here

  • A misconfiguration we can fix in Supabase settings (with steps)
  • A Capgo integration issue that causes insecure Supabase usage
  • A reproducible issue fixed by a specific Supabase config change

Known Supabase Auth Limitations (Already Reported)

We only review these findings when they can be reproduced in a shared Supabase demo project that mirrors our setup. In this workflow, the behavior must be confirmed as a Supabase Auth default/capability and fixed in Supabase configuration only, without changing Capgo security rules.

  • Provide a reproducible case and the exact Supabase setting/config change in the demo project that resolves the issue while keeping your existing rule set intact.
  • Email verification behavior is expected to follow your Supabase Auth project settings (for example, whether email confirmation is disabled and capture-based auth is used).
  • Password update and account-recovery flows may not always require old-password re-entry or re-verification if Supabase Auth is configured that way.
  • If the issue is in this list but you can show a concrete Supabase-side fix in the provided project, then we can consider it in scope.

For questions about our Bug Bounty program, please reach out through our GitHub Security Advisories.