Bug Bounty Program
Capgo is committed to security and transparency. All our code is open source, and we welcome security researchers to help us identify vulnerabilities in our codebase.
Open Source Code
Every repository in the Capgo organization is open source. You can review, audit, and contribute to our code.
GitHub Organization: github.com/Cap-go
Capgo Backend & Landing
Main Capgo repository including backend services and landing website
Capgo CLI
Command-line interface for managing Capgo deployments and live updates
Capacitor Updater Plugin
The core Capacitor plugin that handles over-the-air updates on mobile devices
Requirements for Valid Reports
To qualify for the Bug Bounty program, your report must meet ALL of the following requirements:
- You must identify the exact file and line number in our GitHub repository where the vulnerability exists
- Your report must be submitted through GitHub Security Advisory on the relevant repository
- You must include a clear description of the vulnerability and its potential impact
- You must provide reproducible steps to demonstrate the issue
Important: If you cannot provide the exact line of code in GitHub where the problem exists, your report will not be eligible for the Bug Bounty program. Reports must be submitted through GitHub Security Advisory only.
How to Report
- Navigate to the relevant repository on GitHub
- Click on the "Security" tab
- Click "Report a vulnerability" to create a new security advisory
- Include the exact file path and line number(s) where the vulnerability exists
- Provide detailed steps to reproduce the issue and explain the security impact
Out of Scope
- Reports without exact code line references in GitHub
- Reports not submitted through GitHub Security Advisory
- Theoretical vulnerabilities without proof of concept
- Issues in third-party dependencies (report these upstream)
- Social engineering or phishing attempts
- Denial of service attacks
For questions about our Bug Bounty program, please reach out through our GitHub Security Advisories.