Code Capsules
Get started
Security

Help us stay secure

We take security seriously. If you discover a vulnerability in our platform, we want to hear about it — and we'll reward you for responsible disclosure.

Report a vulnerability View rewards
Rewards

Earn up to $1,000 per vulnerability

Rewards are determined by severity based on impact and exploitability. All amounts are in USD.

Low severity icon
Low

$100

Issues with minimal security impact. Minor misconfigurations, information disclosure with limited exploitability, or low-risk vulnerabilities requiring unlikely user interaction.

Examples

  • Missing security headers on non-sensitive pages
  • Verbose error messages exposing non-critical info
  • Clickjacking on non-authenticated pages
Medium severity icon
Medium

$250

Vulnerabilities that could lead to limited data exposure or require significant user interaction to exploit.

Examples

  • Stored XSS with limited impact
  • CSRF on non-critical actions
  • IDOR exposing non-sensitive data
  • Session fixation
High severity icon
High

$500

Significant vulnerabilities that could lead to unauthorized access, data exposure, or service disruption.

Examples

  • XSS with access to sensitive data or actions
  • IDOR exposing personal or billing data
  • Authentication or authorization bypass (limited scope)
  • Server-side request forgery (SSRF)
Critical severity icon
Critical

$1,000

Severe vulnerabilities that could compromise user data, infrastructure, or allow full unauthorized access.

Examples

  • Remote code execution (RCE)
  • SQL injection accessing sensitive data
  • Authentication bypass granting admin access
  • Privilege escalation to other tenants' data
  • Exposure of secrets, tokens, or credentials
Process

How it works

From report to reward — our straightforward disclosure process.

1

Submit

Email your report with a clear description, reproduction steps, and supporting evidence.

2

Acknowledge

We confirm receipt within 2 business days and begin our assessment.

3

Assess

Our security team evaluates severity and impact within 5 business days.

4

Reward

Once validated and fixed, we issue your reward based on the severity tier.

In scope

Marketing site icon

codecapsules.io

Marketing site

Application dashboard icon

app.codecapsules.io

Application dashboard

Public API icon

api.codecapsules.io

Public API

Out of scope

  • Social engineering, phishing, or physical attacks
  • Denial of service (DoS/DDoS) attacks
  • Automated scanning or brute force attacks
  • Vulnerabilities in third-party services we don't control
  • Spam, rate limiting, or email-related issues
  • Reports from automated tools without a validated PoC
  • Clickjacking on pages with no sensitive actions
  • Missing best practices without demonstrated impact
  • Attacks requiring physical device access
Guidelines

Rules of engagement

To qualify for a reward, you must follow these rules. Failure to comply may result in disqualification.

Rule icon

Do not access, modify, or delete other users' data

Rule icon

Do not degrade service for other users

Rule icon

Do not publicly disclose before we've resolved the issue

Rule icon

Provide a clear proof of concept with reproduction steps

Rule icon

Give us reasonable time (90 days) to address the issue

Rule icon

One vulnerability per report

Rule icon

Only test against accounts you own

Found something?

Send your report to security@codecapsules.io with a clear description, reproduction steps, and supporting evidence.

We aim to acknowledge reports within 2 business days and provide an initial assessment within 5 business days.

Report a vulnerability