Here at Personal Capital, we believe in the power of technology to change the financial industry, making it more accessible, affordable, and honest. And we believe in the power of people to change the nature of investment advice, making it more transparent, objective, and personal. We are building a better money management experience for everyone with technology.
Your mission, researcher, should you choose to accept it is to help to ensure that our front end web application stack and back-end API endpoints are tough as nails. Nobody wants their favorite money management app to leak sensitive data out.
The Personal Capital web application is an HTML5 web app using single-page design and using Backbone, React and Angular for rendering web content. The application calls our backend RESTful APIs, written in Java with Spring MVC and JPA. We use RDBMS for persistent storage. You are welcome to stalk our engineering blog for further insights. While we are not providing researchers with the full list of all of our APIs, we do want to help researchers out. If you think you are onto something but just need a bit more information on a specific API, let us know!
For the initial prioritization/rating of findings, this Bug Bounty Program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher along with the opportunity to appeal and make a case for a higher priority. Please see below for deviations.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||Starting at: $3,000|
|p2 Severe||Starting at: $1,200|
|p3 Moderate||Starting at: $550|
|p4 Low||Starting at: $150|
- https://devstaging.pcapcloud.com/* (web client and server-side APIs)
- Direct calls to the APIs (URIs /api/*), outside of webpage are in scope (e.g.: postman, etc.)
Personal Capital Cash Testing
Our newest offering is called Personal Capital Cash. To get to this feature, navigate to the “Banking” tab in your Personal Capital Dashboard and then select “Open an Account”. Please see the 'Credentials and Access' area below on access to the flow to start your testing.
Out of scope
- Third-party systems not directly under Personal Capital’s control (e.g.: yodlee, financial institutions, aws-layer attacks)
- AWS Vulnerabilities or security issues that are not Personal Capital's responsibility under AWS's shared responsibility model
- Mobile applications (We are not looking at the mobile platforms at this time given they leverage the same APIs)
- Social engineering of Personal Capital personnel
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Personal Capital not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
Please also note that we will have a testing blackout Thursdays between 12:00 pm and 4:00 pm Pacific Time when we refresh the environment.
Credentials and Access
Things that will help you play with things:
Registration - https://devstaging.pcapcloud.com/page/login/registerUser
Login Page - https://devstaging.pcapcloud.com/page/login/goHome
- Anyone is free to create their own accounts on our platform through the registration page we ask that you use your @bugcrowdninja.com email for this purpose.
- Many authentication scenarios will require you to submit through MFA. You are welcome to use either your personal phone or procure a VOIP number for this purpose.
- You may be able to use email as “MFA” after registration, this feature is phasing out so don’t get used to it.
Personal Capital Cash:
Below are some fake test identities that should allow you to progress through the account opening flow to test for vulnerabilities.
A couple notes on making it through the flow:
On the page that asks for “State ID Number”, please generate a random number (if the same number is used by two testers, it will lock the enrollment flow for the user)
On the Identity Verification Questions, only select the last answer (this will usually be the “none of the above” answer
|First Name & Middle Initial||Last Name||SSN||DOB||Home Phone||Address|
|Lawrence J.||Aber||666661234||5/1/1978||8645824068||8101 W Flamingo Rd Las Vegas NV 89147|
|Janet A.||Busch||666822043||7/5/1975||3129850020||4227 N 27th Av #3017 Phoenix AZ 85017|
|Aziz||Abdullah||666822882||1/1/1951||3129850099||1001 Riverland Woods Charleston SC 29412|
|Kim||Statesman||666121819||10/1/1981||8885550001||677 Integon Clinton SC 29325|
|Jose||Alvarez||666101110||10/1/1981||3129850022||117 Hamilton Rd Sterling VA 20165|
|Jessica||Leete||666224124||11/1/1942||3129850024||10813 Eagle Nest Rd Ocean Springs MS 39564|
|Mike WA.||Mechanicsburg||666010236||10/1/1981||3129850026||3855 75th Rd Kirkland WA 98034|
|Ernie||McCracken||666105556||3/1/1988||3129850020||300 Davidson Rd #4E Somerset NJ 08873|
|Robert||Cagle||666783615||2/24/1986||3129850030||1700 W Warlow Dr #202 Gillette WY 82716|
- Server-side APIs are the number one focus area for this program
- Subverting user authentication completely or partly (e.g.: including MFA)
- Any SQL-type, stored cross-user XSS or XML/JSON type injection attacks
- User information PII or financial information disclosure
- Watering holes
Break these Toys Challenges:
We're introducing to the program this new section with things we suspect may yield results for our researcher friends but have not been able to apply research cycle from our internal team on yet. Something doesn't quite feel right to us but we can't quite put our finger on it. May contain low hanging fruits!
Black box testing indicates potential SQL Injection on following page's searchString parameter
Things you may enjoy playing with (lead with /api/):
Financial Institution Aggregation
To fully test the dashboard and many of the interfaces available in our platform you will need financial institutions accounts linked. For this purpose, this environment makes available a test institution. Link it as follows:
- Click on “link account” and locate “Dag Site”
- Under “Catalog” enter ID pcap.site16441.3
- Under “Password” enter Password site16441.3
- Click “I’m done linking accounts”
- Feel free to also link your own personal accounts should you so desire :)
The following are either known issues we don't want to fix or already known and pending.
- User enumeration from login page - That's a design decision.
- No DMARC on the devstaging domain - This domain isn’t used for mail as such this is a non-issue
- DMARC still not completed on personalcapital.com - We’re aware of this. Stay tuned!
- Session invalidation on Password Reset & Change - We're aware of this.
- Content Security Policy / Clickjacking - We’re aware of this.
Things you shouldn’t play with:
- Any denial of service type attacks (either network, resource exhaustion or anything else)
- User and email enumeration - we are aware and allow this intentionally. There are some throttling triggers to manage this risk so no need to lock yourself out
- Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
- Any attack or vulnerability that hinges on a user’s computer being first compromised
If you find a vulnerability, do not test on our live systems (out of scope as per above) to demonstrate it. The researcher's environment is an exact replica, demonstrating in this environment is sufficient.
Please see below for deviations from the standard VRT.
|PRIORITY ▼||BUGCROWD CATEGORIES||SPECIFIC VULNERABILITY NAME||VARIANT OR AFFECTED FUNCTION||DEVIATION|
|P1||Server Security Misconfiguration||Using Default Credentials||Production Server||P5|
|P2||Server Security Misconfiguration||Misconfigured DNS||Subdomain Takeover||P5|
|P3||Server Security Misconfiguration||Mail Server Misconfiguration||Missing SPF on Email Domain||P5|
|P3||Server Security Misconfiguration||Mail Server Misconfiguration||Email Spoofable Via Third-Party API Misconfiguration||P5|
|P3||Sensitive Data Exposure||EXIF Geolocation Data Not Stripped From Uploaded Images||Automatic User Enumeration||P5|
|P3||Application-Level Denial-of-Service (DoS)||High Impact and/or Medium Difficulty||P5|
|P3||Insufficient Security Configurability||Weak Password Policy||Complexity, Both Length and Char Type Not Enforced||P5|
|P4||Server Security Misconfiguration||No Rate Limiting on Form||Registration||P5|
|P4||Server Security Misconfiguration||No Rate Limiting on Form||Email-Triggering||P5|
|P4||Server Security Misconfiguration||Missing Secure or HTTP Only Cookie Flag||Session Token||P5|
|P4||Sensitive Data Exposure||EXIF Geolocation Data Not Stripped From Uploaded Images||Manual User Enumeration||P5|
|P4||Missing Function Level Access Control||Username Enumeration||Data Leak||P5|
|P4||Insufficient Security Configurability||Weak Password Policy||Complexity, Char Type Not Enforced||P5|
|P4||Insecure Data Storage||Credentials Stored Unencrypted||On External Storage||P5|
|P4||Insecure Data Storage||Sensitive Application Data Stored Unencrypted||On External Storage||P5|
|P4||Privacy Concerns||Unnecessary Data Collection||WiFi SSID+Password||P5|
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via firstname.lastname@example.org before going any further.