Request a Demo Contact Us
Need a Pen Test? Get Started Now!
Learn more

Learn how Personal Capital Protects its Financial Assets and Customer Data

Bug Bounty and Vulnerability Disclosure Program Provide Personal Capital with Max Coverage & High-Quality, Valid Results

Products
  • Bug Bounty Program
  • Vulnerability Disclosure Program
Industry

Financial

  • Challenges

    • Financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries.
    • Professional services would find a significant number of findings that were false positives and not reproducible.
    • They’d run a scan and send the results to engineering with little visibility on the quality of results or instructions on how to remediate.
    • The team wasted hours trying to parse through bad data.
  • Outcomes

    • The continuous testing from the Crowd provides the Personal Capital team with valuable vulnerability findings at scale.
    • Crowdcontrol helps Personal Capital manage their programs from start to finish.
    • Personal Capital was able to successfully integrate crowdsourced security into an ongoing and holistic security program using the most innovative technology and creative thinking available.

Security at Personal Capital

Personal Capital is a leading hybrid digital wealth management company based in Redwood Shores, California. With more than $9 billion assets under management, 20,000 investment clients in all 50 states, and more than 2 million using it’s free financial planning tools, Personal Capital is transforming people’s financial lives.

As a top customer-centric wealth management company, Personal Capital understood it was a legitimate target for cyber attacks, and needed to have best-in-class security in order to protect its users’ and clients’ money and data. The goal was for its application stack to be as hard a target as can be.

Personal Capital turned to Bugcrowd to manage its vulnerability disclosure program (VDP), providing a coordinated channel and framework for security feedback from the global community. After the success of its VDP, Personal Capital launched a managed private bug bounty program to take steps toward scaling its crowdsourced security program. The company recently took the bug bounty program public, taking an active approach in incentivizing the hacker community to contribute highly critical vulnerability submissions to its crowdsourced security program.

Cybersecurity & Financial Services


Cyberattacks cost financial services firms $18 million (vs. $12 million for firms across industries). Financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries. The financial services market has been one of the most heavily targeted industries for years. As they continue developing, deploying and managing highly-connected and distributed products, combating external threats continues to be a major challenge.

Crowdsourced security programs are fundamentally changing the way financial services organizations approach the security of their assets. Personal Capital is on the front lines, taking advantage of the crowdsourced model to get ahead of the adversaries and protect its customers from cyber attack.

Bugcrowd has helped us trend toward better security posture and close issues of varying degrees of severity. Due to the success of the program, we’ve been able to increase the credibility of the security team internally with engineering and infrastructure teams. That camaraderie is invaluable.

Maxime Rousseau, CISO

Personal Capital & Crowdsourced Security

Before working with Bugcrowd, Personal Capital was enlisting professional services to run penetration test engagements. In a typical engagement, the Personal Capital team would find a significant number of findings were not reproducible or were false positives. The team wasted hours trying to parse through bad data. They’d run a scan and send the results to engineering with little visibility on the quality of results, and ability for the engineering team to fix.

To get away from these pitfalls, Personal Capital launched a managed vulnerability disclosure program with Bugcrowd. After seeing immediate success, Personal Capital evolved the program to include a private bug bounty with a goal of taking the program public. Private bug bounty programs allow organizations to harness the power of the crowd – diversity of skills and perspective at scale – in a more controlled environment. Personal Capital launched its public bug bounty program public in June 2019.

The continuous testing from Bugcrowd’s community of thousands of security researchers provides the Personal Capital team with valuable vulnerability findings at scale.

Vulnerability Disclosure & Bug Bounty

Vulnerability disclosure programs (VDP) provide a coordinated channel and framework for security feedback from the global community. Much like a “neighborhood watch” for an organization’s internet assets, the program encourages security researchers to report something if they see something. VDPs do not offer monetary rewards. Bug bounties take this approach one step further by adding scoped targets into a program brief available to the Crowd, as well as monetary incentives to motivate hackers to look for the more difficult and creative vulnerabilities.

Bugcrowd’s vulnerability disclosure program paired with a bug bounty program have equipped Personal Capital with the largest possible talent pool of hackers available, all with collective talents that would be otherwise difficult to assemble, as well a maximum security coverage for its Internet assets and platform features needed to get the right vulnerability information to the right team.

Benefits of Choosing Bugcrowd

As a leading financial services company, Personal Capital needed to affirm its commitment to its customer base with a meaningful, actionable way to uncover and repair security issues. The company also needed to ensure an efficient feedback loop between the security team and the engineering team.

Working together with Bugcrowd, Personal Capital was able to successfully integrate crowdsourced security into an ongoing and holistic security program using the most innovative technology and creative thinking available. The company was able to automate a managed process from discovery, validation, reproduction, review/triage, submitter payment, ticket creation, reward payout and on to a final successful outcome.

As evidenced by the ongoing relationship and the evolution of the program, Personal Capital has acknowledged the ROI the Bugcrowd solution provides. For Personal Capital, getting high-quality, valid results from the program was key. Bugcrowd provided concrete, actionable, clear value and security improvement opportunities.

Subscribe for updates

Get Started with Bugcrowd

Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.