Here at Personal Capital, we believe in the power of technology to change the financial industry, making it more accessible, affordable, and honest. And we believe in the power of people to change the nature of investment advice, making it more transparent, objective, and personal. We are building a better money management experience for everyone with technology.
Your mission, researcher, should you choose to accept it is to help to ensure that our front end web application stack and back-end API endpoints are tough as nails. Nobody wants their favorite money management app to leak sensitive data out.
The Personal Capital web application is an HTML5 web app using single-page design and using Backbone, React and Angular for rendering web content. The application calls our backend RESTful APIs, written in Java with Spring MVC and JPA. We use RDBMS for persistent storage. You are welcome to stalk our engineering blog for further insights. While we are not providing researchers with the full list of all of our APIs, we do want to help researchers out. If you think you are onto something but just need a bit more information on a specific API, let us know!
For the initial prioritization/rating of findings, this Bug Bounty Program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher along with the opportunity to appeal and make a case for a higher priority. Please see below for deviations.
Last updated 13 Feb 2020 00:32:15 UTC
Technical severity | Reward range
p1 Critical | Starting at: $3,000
p2 Severe | Starting at: $1,200
p3 Moderate | Starting at: $550
p4 Low | Starting at: $150
P5 submissions do not receive any rewards for this program.
Target name | Type
<https://devstaging.pcapcloud.com/*> | Website
Our newest offering is called Personal Capital Cash. To get to this feature, navigate to the “Banking” tab in your Personal Capital Dashboard and then select “Open an Account”. Please see the 'Credentials and Access' area below on access to the flow to start your testing. A most interesting feature that we’d like your help to test are the joint account invite/authentication flows. See the instructions below for starting a Personal Capital Cash Account and select the “Joint” option.
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Personal Capital not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
Please also note that we will have a testing blackout Thursdays between 12:00 pm and 4:00 pm Pacific Time when we refresh the environment.
Things that will help you play with things:
Registration - https://devstaging.pcapcloud.com/page/login/registerUser
Login Page - https://devstaging.pcapcloud.com/page/login/goHome
Below are some fake test identities that should allow you to progress through the account opening flow to test for vulnerabilities.
A couple notes on making it through the flow:
On the page that asks for “State ID Number”, please generate a random number (if the same number is used by two testers, it will lock the enrollment flow for the user)
On the Identity Verification Questions, only select the last answer (this will usually be the “none of the above” answer
If testing the joint account flow, be sure to provide a different email address (using a firstname.lastname@example.org will suffice) for the delegated account
First Name & Middle Initial | Last Name | SSN | DOB | Home Phone | Address
Lawrence J. | Aber | 666661234 | 5/1/1978 | 8645824068 | 8101 W Flamingo Rd Las Vegas NV 89147
Janet A. | Busch | 666822043 | 7/5/1975 | 3129850020 | 4227 N 27th Av #3017 Phoenix AZ 85017
Aziz | Abdullah | 666822882 | 1/1/1951 | 3129850099 | 1001 Riverland Woods Charleston SC 29412
Kim | Statesman | 666121819 | 10/1/1981 | 8885550001 | 677 Integon Clinton SC 29325
Jose | Alvarez | 666101110 | 10/1/1981 | 3129850022 | 117 Hamilton Rd Sterling VA 20165
Jessica | Leete | 666224124 | 11/1/1942 | 3129850024 | 10813 Eagle Nest Rd Ocean Springs MS 39564
Mike WA. | Mechanicsburg | 666010236 | 10/1/1981 | 3129850026 | 3855 75th Rd Kirkland WA 98034
Ernie | McCracken | 666105556 | 3/1/1988 | 3129850020 | 300 Davidson Rd #4E Somerset NJ 08873
Robert | Cagle | 666783615 | 2/24/1986 | 3129850030 | 1700 W Warlow Dr #202 Gillette WY 82716
Things you may enjoy playing with (lead with /api/):
To fully test the dashboard and many of the interfaces available in our platform you will need financial institutions accounts linked. For this purpose, this environment makes available a test institution. Link it as follows:
The following are either known issues we don't want to fix or already known and pending.
Things you shouldn’t play with:
If you find a vulnerability, do not test on our live systems (out of scope as per above) to demonstrate it. The researcher's environment is an exact replica, demonstrating in this environment is sufficient.
Please see below for deviations from the standard VRT.
PRIORITY ▼ | BUGCROWD CATEGORIES | SPECIFIC VULNERABILITY NAME | VARIANT OR
AFFECTED FUNCTION | DEVIATION
P1 | Server Security Misconfiguration | Using Default Credentials | Production Server | P5
P2 | Server Security Misconfiguration | Misconfigured DNS | Subdomain Takeover | P5
P3 | Server Security Misconfiguration | Mail Server Misconfiguration | Missing SPF on Email Domain | P5
P3 | Server Security Misconfiguration | Mail Server Misconfiguration | Email Spoofable Via Third-Party API Misconfiguration | P5
P3 | Sensitive Data Exposure | EXIF Geolocation Data Not Stripped From Uploaded Images | Automatic User Enumeration | P5
P3 | Application-Level Denial-of-Service (DoS) | High Impact and/or Medium Difficulty | | P5
P3 | Insufficient Security Configurability | Weak Password Policy | Complexity, Both Length and Char Type Not Enforced | P5
P4 | Server Security Misconfiguration | No Rate Limiting on Form | Registration | P5
P4 | Server Security Misconfiguration | No Rate Limiting on Form | Email- Triggering | P5
P4 | Server Security Misconfiguration | Missing Secure or HTTP Only Cookie Flag | Session Token | P5
P4 | Sensitive Data Exposure | EXIF Geolocation Data Not Stripped From Uploaded Images | Manual User Enumeration | P5
P4 | Missing Function Level Access Control | Username Enumeration | Data Leak | P5
P4 | Insufficient Security Configurability | Weak Password Policy | Complexity, Char Type Not Enforced | P5
P4 | Insecure Data Storage | Credentials Stored Unencrypted | On External Storage | P5
P4 | Insecure Data Storage | Sensitive Application Data Stored Unencrypted | On External Storage | P5
P4 | Privacy Concerns | Unnecessary Data Collection | WiFi SSID+Password | P5
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via email@example.com before going any further.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
|Scope Type||Scope Name|
This program leverage 1 scopes, in 1 scopes categories.