Vulnerability Disclosure Program

Last updated on September 7, 2017

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Personal Capital security team.

The security team at Personal Capital strongly believes that collaboration with the security community is key to maintaining secure environments for all of our clients and users. As such if you believe you've discovered a security vulnerability on a Personal Capital property or application, we strongly encourage you to inform us as quickly as possible. We ask that such vulnerability reports be kept private and researchers not make those public while we are working to resolve issues.

In return, we will work to review reports and respond in a timely manner. Our bug bounty partner Bugcrowd will engage with you initially to triage your submission. Personal Capital will not seek judicial or law enforcement remedies against you for identifying security issues, so long as you abide by the policies set forth in here as well as Bugcrowd’s Standard Disclosure Terms: do not compromise the safety or privacy of our users; and destroy any sensitive data you might have gathered from Personal Capital as part of your research once issues are resolved.

Thanks for your help!

Vulnerability Program Scope & Rules

In Scope

We are primarily interested in hearing about the following vulnerability categories:


Out of Scope

The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.


Vulnerability Rewards

Our public program currently does provide any monetary reward beyond Personal Capital’s eternal gratitude. If you are a Bugcrowd researcher, you can also claim your submission below for kudos. If you are interested in helping us in a more dedicated manner as a security researcher in our Private Program, please contact [email protected] with your request and justification.

At Personal Capital’s discretion, we may make exceptions to this policy for exceptional contributions.

Report a Security Vulnerability

Please use the form below to report security vulnerabilities to Personal Capital through our Bugcrowd partner portal. Personal Capital generally scores vulnerability based on Bugcrowd’s Vulnerability Rating Taxonomy (VRT).