Security
"Issues that depend on compromised or malicious inputs already present in that context generally fall outside our bug bounty scope."
Cursor has denied responsibility for an arbitrary code execution bug in its vibe coding platform after researchers said it had failed to patch the vulnerability for seven months.
The platform, bought by SpaceX for $60 billion in June, said the issue depended on a compromised or malicious input and therefore fell outside its bug bounty scope after Mindgard accused it of ignoring its research.
A Cursor spokesperson told The Stack: “We operate under a shared responsibility model for workspace and agent-context inputs: customers decide which repositories, prompts, external content, MCP servers, rules, and tools to introduce into their environment, and Cursor provides controls to help manage that trust boundary.”
Cursor, a product of Anysphere, has more than 50,000 enterprise customers, including 64% of the Fortune 500, according to its website, and a reported 1 million+ daily active users.
Join peers managing over $100 billion in annual IT spend and subscribe to unlock full access to The Stack’s analysis and events.
Already a member? Sign in