Skip to main content
Capgo logo

Bug Bounty Program

Capgo is committed to security and transparency. All our code is open source, and we welcome security researchers to help us identify vulnerabilities in our codebase.

Open Source Code

Every repository in the Capgo organization is open source. You can review, audit, and contribute to our code.

GitHub Organization: github.com/Cap-go

Capgo Backend & Landing

Main Capgo repository including backend services and landing website

View Repository Report Security Issue

Capgo CLI

Command-line interface for managing Capgo deployments and live updates

View Repository Report Security Issue

Capacitor Updater Plugin

The core Capacitor plugin that handles over-the-air updates on mobile devices

View Repository Report Security Issue

Requirements for Valid Reports

To qualify for the Bug Bounty program, your report must meet ALL of the following requirements:

  • You must identify the exact file and line number in our GitHub repository where the vulnerability exists
  • Your report must be submitted through GitHub Security Advisory on the relevant repository
  • You must include a clear description of the vulnerability and its potential impact
  • You must provide reproducible steps to demonstrate the issue

Important: If you cannot provide the exact line of code in GitHub where the problem exists, your report will not be eligible for the Bug Bounty program. Reports must be submitted through GitHub Security Advisory only. Payments are handled via Algora.io; please create an account there so we can pay you directly on the platform.

Response Time and Respect

We are friendly and we do pay for valid reports, but we cannot work with people who do not respect our time. Please keep communication calm and follow this program.

  • We respond to security reports and breaches within 24-72 hours.
  • Do not spam us. More than three emails in a single day is considered spam and will be blocked.
  • We do not pay for reports that ignore these rules or are spam.
  • Only in-scope reports that follow this bug bounty program are accepted; anything else may be blocked.

Important: Payments are issued only after we have identified the issue, fixed it, opened a pull request, and you have verified after release that the fix works for you. This process typically takes 3-5 days. Please do not send messages like "to get paid"; payment happens only once the release is live and you've tested and validated the fix.

How to Report

  1. Navigate to the relevant repository on GitHub
  2. Click on the "Security" tab
  3. Click "Report a vulnerability" to create a new security advisory
  4. Include the exact file path and line number(s) where the vulnerability exists
  5. Provide detailed steps to reproduce the issue and explain the security impact

Out of Scope

  • Reports without exact code line references in GitHub
  • Reports not submitted through GitHub Security Advisory
  • Theoretical vulnerabilities without proof of concept
  • Issues in third-party dependencies or services (report these upstream, e.g. Supabase).
  • Social engineering or phishing attempts
  • Denial of service attacks

Supabase and Third-Party Services

If the issue is in Supabase and tied to a Supabase endpoint, report it to Supabase (not Capgo). We only accept Supabase-related reports if you can reproduce it and show the exact Supabase setting/config change that prevents it in a project configured like ours.

Examples

Not valid here

  • A Supabase platform bug or outage
  • A finding you cannot reproduce
  • A claim without the Supabase setting/config change that fixes it

Valid here

  • A misconfiguration we can fix in Supabase settings (with steps)
  • A Capgo integration issue that causes insecure Supabase usage
  • A reproducible issue fixed by a specific Supabase config change

For questions about our Bug Bounty program, please reach out through our GitHub Security Advisories.