Personal Capital

  • $150 – $3,000+ per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

31 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$687.50 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Here at Personal Capital, we believe in the power of technology to change the financial industry, making it more accessible, affordable, and honest. And we believe in the power of people to change the nature of investment advice, making it more transparent, objective, and personal. We are building a better money management experience for everyone with technology.

Your mission, researcher, should you choose to accept it is to help to ensure that our front end web application stack and back-end API endpoints are tough as nails. Nobody wants their favorite money management app to leak sensitive data out.

The Personal Capital web application is an HTML5 web app using single-page design and using Backbone, React and Angular for rendering web content. The application calls our backend RESTful APIs, written in Java with Spring MVC and JPA. We use RDBMS for persistent storage. You are welcome to stalk our engineering blog for further insights. While we are not providing researchers with the full list of all of our APIs, we do want to help researchers out. If you think you are onto something but just need a bit more information on a specific API, let us know!


Ratings/Rewards

For the initial prioritization/rating of findings, this Bug Bounty Program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher along with the opportunity to appeal and make a case for a higher priority. Please see below for deviations.

Reward Range

Last updated
Technical severity Reward range
p1 Critical Starting at: $3,000
p2 Severe Starting at: $1,200
p3 Moderate Starting at: $550
p4 Low Starting at: $150
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
https://devstaging.pcapcloud.com/* Website

Target Details

In scope

  • https://devstaging.pcapcloud.com/* (web client and server-side APIs)
  • Direct calls to the APIs (URIs /api/*), outside of webpage are in scope (e.g.: postman, etc.)

Personal Capital Cash Testing (Now featuring Joint Accounts!)

Our newest offering is called Personal Capital Cash. To get to this feature, navigate to the “Banking” tab in your Personal Capital Dashboard and then select “Open an Account”. Please see the 'Credentials and Access' area below on access to the flow to start your testing. A most interesting feature that we’d like your help to test are the joint account invite/authentication flows. See the instructions below for starting a Personal Capital Cash Account and select the “Joint” option.

Out of scope

  • *.personalcapital.com
  • Third-party systems not directly under Personal Capital’s control (e.g.: yodlee, financial institutions, aws-layer attacks)
  • AWS Vulnerabilities or security issues that are not Personal Capital's responsibility under AWS's shared responsibility model
  • Mobile applications (We are not looking at the mobile platforms at this time given they leverage the same APIs)
  • Social engineering of Personal Capital personnel

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Personal Capital not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

Please also note that we will have a testing blackout Thursdays between 12:00 pm and 4:00 pm Pacific Time when we refresh the environment.

Credentials and Access

Things that will help you play with things:

Key URLs:

Registration - https://devstaging.pcapcloud.com/page/login/registerUser
Login Page - https://devstaging.pcapcloud.com/page/login/goHome

Credentials:

  • Anyone is free to create their own accounts on our platform through the registration page we ask that you use your @bugcrowdninja.com email for this purpose.
  • Many authentication scenarios will require you to submit through MFA. You are welcome to use either your personal phone or procure a VOIP number for this purpose.
  • You may be able to use email as “MFA” after registration, this feature is phasing out so don’t get used to it.

Personal Capital Cash:

Below are some fake test identities that should allow you to progress through the account opening flow to test for vulnerabilities.

A couple notes on making it through the flow:
On the page that asks for “State ID Number”, please generate a random number (if the same number is used by two testers, it will lock the enrollment flow for the user)
On the Identity Verification Questions, only select the last answer (this will usually be the “none of the above” answer
If testing the joint account flow, be sure to provide a different email address (using a email+foobar@domain.com will suffice) for the delegated account

First Name & Middle Initial Last Name SSN DOB Home Phone Address
Lawrence J. Aber 666661234 5/1/1978 8645824068 8101 W Flamingo Rd Las Vegas NV 89147
Janet A. Busch 666822043 7/5/1975 3129850020 4227 N 27th Av #3017 Phoenix AZ 85017
Aziz Abdullah 666822882 1/1/1951 3129850099 1001 Riverland Woods Charleston SC 29412
Kim Statesman 666121819 10/1/1981 8885550001 677 Integon Clinton SC 29325
Jose Alvarez 666101110 10/1/1981 3129850022 117 Hamilton Rd Sterling VA 20165
Jessica Leete 666224124 11/1/1942 3129850024 10813 Eagle Nest Rd Ocean Springs MS 39564
Mike WA. Mechanicsburg 666010236 10/1/1981 3129850026 3855 75th Rd Kirkland WA 98034
Ernie McCracken 666105556 3/1/1988 3129850020 300 Davidson Rd #4E Somerset NJ 08873
Robert Cagle 666783615 2/24/1986 3129850030 1700 W Warlow Dr #202 Gillette WY 82716

Focus Areas

  • Server-side APIs are the number one focus area for this program
  • Subverting user authentication completely or partly (e.g.: including MFA)
  • Any SQL-type, stored cross-user XSS or XML/JSON type injection attacks
  • User information PII or financial information disclosure
  • Watering holes

Interesting APIs

Things you may enjoy playing with (lead with /api/):

  • credential/authenticateEmailByCode
  • credential/authenticateEmailByUrl
  • credential/authenticatePassword
  • credential/authenticatePhone
  • credential/authenticatePin
  • credential/authenticateSms
  • credential/authenticateSsn
  • credential/authenticateUserSiteKnowledge
  • credential/challengeEmail
  • credential/challengePhone
  • credential/challengeSms
  • credential/challengeUserSiteKnowledge
  • credential/getRegisteredCredentials
  • credential/identifyAndAuthenticatePassword
  • credential/identifyAndAuthenticatePin
  • credential/registerCredentials
  • credential/resetPassword
  • credential/resetPin
  • credential/suggestDeviceName
  • feedback/logMarketingEvent
  • filecabinet/getEdocuments
  • fileUpload/getTradeReasonFileBytes
  • fileUpload/getTradeReasonFileDataEntries
  • fileUpload/getTradeReasonFileUploadHistories
  • login/identifyUser
  • login/keepalive
  • login/logoff
  • login/querySession
  • login/softLogout
  • login/suggestFriend
  • login/switchUser
  • login/validateSession
  • registration/registerUser
  • enrollment/getEnrollments
  • enrollment/startEnrollmentCorrection
  • enrollment/submitEnrollment
  • pcbenrollment/createEnrollment
  • pcbenrollment/getEnrollment
  • pcbenrollment/getEnrollments
  • pcbenrollment/updateEnrollment
  • pcbenrollment/submitEnrollment
  • pcbtransfer/create
  • pcbaccount/getAccountStateForTransfer
  • pcbenrollment/verifyIdentity
  • pcbaccount/getAccountStateForTransfer
  • pcbmicrodeposit/initiate
  • pcbmicrodeposit/verify
  • pcbtransfer/create

Financial Institution Aggregation

To fully test the dashboard and many of the interfaces available in our platform you will need financial institutions accounts linked. For this purpose, this environment makes available a test institution. Link it as follows:

  1. Click on “link account” and locate “Dag Site”
  2. Under “Catalog” enter ID pcap.site16441.3
  3. Under “Password” enter Password site16441.3
  4. Click “I’m done linking accounts”
  5. Feel free to also link your own personal accounts should you so desire :)

Known Issues

The following are either known issues we don't want to fix or already known and pending.

  • User enumeration from login page - That's a design decision.
  • No DMARC on the devstaging domain - This domain isn’t used for mail as such this is a non-issue
  • Session invalidation on Password Reset & Change - We're aware of this.
  • Content Security Policy / Clickjacking - We’re aware of this.

Exclusions

Things you shouldn’t play with:

  • Any denial of service type attacks (either network, resource exhaustion or anything else)
  • User and email enumeration - we are aware and allow this intentionally. There are some throttling triggers to manage this risk so no need to lock yourself out
  • Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
  • Any attack or vulnerability that hinges on a user’s computer being first compromised

If you find a vulnerability, do not test on our live systems (out of scope as per above) to demonstrate it. The researcher's environment is an exact replica, demonstrating in this environment is sufficient.


VRT Deviations

Please see below for deviations from the standard VRT.

PRIORITY ▼ BUGCROWD CATEGORIES SPECIFIC VULNERABILITY NAME VARIANT OR AFFECTED FUNCTION DEVIATION
P1 Server Security Misconfiguration Using Default Credentials Production Server P5
P2 Server Security Misconfiguration Misconfigured DNS Subdomain Takeover P5
P3 Server Security Misconfiguration Mail Server Misconfiguration Missing SPF on Email Domain P5
P3 Server Security Misconfiguration Mail Server Misconfiguration Email Spoofable Via Third-Party API Misconfiguration P5
P3 Sensitive Data Exposure EXIF Geolocation Data Not Stripped From Uploaded Images Automatic User Enumeration P5
P3 Application-Level Denial-of-Service (DoS) High Impact and/or Medium Difficulty P5
P3 Insufficient Security Configurability Weak Password Policy Complexity, Both Length and Char Type Not Enforced P5
P4 Server Security Misconfiguration No Rate Limiting on Form Registration P5
P4 Server Security Misconfiguration No Rate Limiting on Form Email-Triggering P5
P4 Server Security Misconfiguration Missing Secure or HTTP Only Cookie Flag Session Token P5
P4 Sensitive Data Exposure EXIF Geolocation Data Not Stripped From Uploaded Images Manual User Enumeration P5
P4 Missing Function Level Access Control Username Enumeration Data Leak P5
P4 Insufficient Security Configurability Weak Password Policy Complexity, Char Type Not Enforced P5
P4 Insecure Data Storage Credentials Stored Unencrypted On External Storage P5
P4 Insecure Data Storage Sensitive Application Data Stored Unencrypted On External Storage P5
P4 Privacy Concerns Unnecessary Data Collection WiFi SSID+Password P5

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.