Vulnerability Disclosure Program
Last updated on September 7, 2017
The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Personal Capital security team.
The security team at Personal Capital strongly believes that collaboration with the security community is key to maintaining secure environments for all of our clients and users. As such if you believe you've discovered a security vulnerability on a Personal Capital property or application, we strongly encourage you to inform us as quickly as possible. We ask that such vulnerability reports be kept private and researchers not make those public while we are working to resolve issues.
In return, we will work to review reports and respond in a timely manner. Our bug bounty partner Bugcrowd will engage with you initially to triage your submission. Personal Capital will not seek judicial or law enforcement remedies against you for identifying security issues, so long as you abide by the policies set forth in here as well as Bugcrowd’s Standard Disclosure Terms: do not compromise the safety or privacy of our users; and destroy any sensitive data you might have gathered from Personal Capital as part of your research once issues are resolved.
Thanks for your help!
Vulnerability Program Scope & Rules
We are primarily interested in hearing about the following vulnerability categories:
- Sensitive Data Exposure - Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.
- Authentication or Session Management related issues
- Remote Code Execution
- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories, show us your fancy footwork!
Out of Scope
The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.
- Denial of Service (DoS) - Either through network traffic, resources exhaustion or others.
- User enumeration
- Issues only present in old browsers/old plugins/end-of-life software browsers
- Phishing or social engineering of Personal Capital employees, users or clients
- Systems or issues that relate to Third-Party technology used by Personal Capital
- Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
- Any attack or vulnerability that hinges on a user’s computer being first compromised
Our public program currently does not provide any monetary reward beyond Personal Capital’s eternal gratitude. If you are a Bugcrowd researcher, you can also claim your submission below for kudos. If you are interested in helping us in a more dedicated manner as a security researcher in our Private Program, please contact [email protected] with your request and justification.
At Personal Capital’s discretion, we may make exceptions to this policy for exceptional contributions.
Report a Security Vulnerability
Please use the form below to report security vulnerabilities to Personal Capital through our Bugcrowd partner portal. Personal Capital generally scores vulnerability based on Bugcrowd’s Vulnerability Rating Taxonomy (VRT).