Thanks for helping make Capgo safe for everyone.

Capgo takes the security of our software seriously, including all open-source repositories in the Cap-go GitHub organization: https://github.com/Cap-go

Do not report, discuss, or disclose security issues on Discord, GitHub Issues, or any public forum.

All security reports must be submitted through GitHub Security Advisories for the relevant repository:

• https://github.com/Cap-go/capgo/security/advisories/new
• https://github.com/Cap-go/CLI/security/advisories/new
• https://github.com/Cap-go/capacitor-updater/security/advisories/new

Please include:

• a clear description of the issue and its impact
• reproducible steps, proof of concept, and environment details
• the exact file path and line numbers where the issue exists
• any suggested fix (optional)

Do not publish details in any repository content until we coordinate disclosure.

For bug bounty details and payout rules, see: https://capgo.app/bug-bounty/

Payments are issued only after we have identified the issue, fixed it, opened a pull request, and you have verified after release that the fix works for you. This process typically takes 3-5 days. Please do not send messages like "to get paid"; payment happens only once the release is live and you have tested and validated the fix.

Security information must be shared only within the Capgo Core and Security teams on a need-to-know basis. Do not make the information public, share it externally, or hint at it without explicit prior approval. This holds until the agreed public disclosure date and time.

As a clarifying example, this policy forbids sharing security details with employers unless prior arrangements have been made.

If information leaks, you must urgently inform the Capgo Security Team with exactly what was shared, with whom, and what steps will prevent future leaks.

Repeated offenses may lead to removal from the Security or Capgo team.