Responsible Disclosure Inquiry – Security Vulnerability Found

[th3gowtham]

Hello Team,I'm a security researcher and bug bounty hunter. I have found a serious vulnerability in your platform which may cause serious business impact on your site.May I know is there any policy to report vulnerabilities and reward security researcher for submitting valid vulnerabilities?Thanks,
Gowthambalaji 

[linear]

CAP-621

[tembo]

Thanks for reaching out about responsible disclosure. Currently, Cap doesn't have a formal SECURITY.md file or documented vulnerability disclosure policy in the repository.

For now, I'd suggest reaching out directly to the Cap team via their Discord server to coordinate private disclosure, as public GitHub issues aren't ideal for sharing vulnerability details before they're patched.

This issue does highlight a gap in the project's community health files - adding a SECURITY.md with clear disclosure instructions and contact information would be beneficial for future security researchers.

[th3gowtham]

Hello Team,

As suggested, I joined the Cap Discord server to coordinate responsible disclosure. I posted a brief introductory message in the general channel stating that I am a security researcher and that I was referred from the GitHub issue for security-related coordination.

However, after a few hours, my account was removed from the server. I’m not sure if this was intentional or a misunderstanding.

Please let me know the preferred and secure channel to proceed with private disclosure of the vulnerability details.

Best regards,
Gowthambalaji

[richiemcilroy]

Hey, if you have a genuine disclosure then feel free to email me at richie@cap.so, or security@cap.so. Or you can DM me directly on any platform.

Right now this reads as spam.