please use GitHub's security advisories or email security@trycap.dev (pgp key) to report any security issues.

if you find bots in the wild bypassing Cap Instrumentation's headless browser checks, please email me too so i can take a look.

security advisories found from ai scans are allowed but please make sure to label your them as so and properly review and test them. ask your agent to confirm the security of the issue and to test it in a real-world scenario.

for "CAPTCHA bypasses", a working fix is required.