'Break these toys challenge' -- Personal Capital - Announcements - Empower Personal Wealth

$150 – $4,000 per vulnerability
Safe harbor

Hey Everyone,

Personal Capital wants to help the crowd find more vulnerabilities in their systems. They will be rolling out some updates to their program to further this effort in the coming months. The first bit of help is live on their bounty brief today, with some information to help researchers focus their efforts.

Please see below for further details:

Black box testing indicates potential XSS on the following pages by using the skipFirstUse parameter

https://devstaging.pcapcloud.com/page/login/goHome?
https://devstaging.pcapcloud.com/page/login/app?

Black box testing indicates potential SQL Injection on following page's searchString parameter

https://devstaging.pcapcloud.com/api/search/searchSites

Black box testing indicates potential Remote OS Command Injection on

https://devstaging.pcapcloud.com/page/login/app?

with the following parameters: deviceName, skipFirstUse, referrerId, passwd, redirectTo

Thank you, and happy hunting!

Best,
Steve @ Bugcrowd