Vulnerability Disclosure Program

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Jscrambler security team.

The security team at Jscrambler strongly believes that collaboration with the security community is key to maintaining secure environments for all of our clients and users. As such, if you believe you've discovered a security vulnerability on a Jscrambler property or application, we strongly encourage you to inform us as quickly as possible. We ask that such vulnerability reports be kept private and researchers do not make those public while we are working to resolve the reported issues.
In return, we will work to review reports and respond in a timely manner (under 3 business days). Jscrambler will not seek judicial or law enforcement remedies against you for identifying security issues, so long as you abide by the policies set forth in here: do not compromise the safety or privacy of our users; do not publish information about the vulnerabilities until we fix it; and destroy any sensitive data you might have gathered from Jscrambler as part of your research once issues are resolved.

Thanks for your help!

Vulnerability Program Scope & Rules

In Scope

We are primarily interested in hearing about the following vulnerability categories:
  • Sensitive Data Exposure - Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.
  • Sensitive Data Leakage
  • Authentication or Session Management related issues
  • Remote Code Execution
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

Out of Scope

The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers:
  • Denial of Service (DoS) - Either through network traffic, resources exhaustion or others.
  • User enumeration
  • Issues only present in old browsers/old plugins/end-of-life software browsers
  • Phishing or social engineering of Personal Capital employees, users or clients
  • Systems or issues that relate to Third-Party technology used by Jscrambler
  • Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
  • Any attack or vulnerability that hinges on a user’s computer being first compromised

Vulnerability Rewards

Our public program currently does not provide any monetary reward.
At Jscrambler’s discretion, we may make exceptions to this policy for exceptional contributions.

Report a Security Vulnerability

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Please do the following:
  • E-mail your findings to security@jscrambler.com,
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
  • Do not reveal the problem to others until it has been resolved and with the agreement of Jscrambler,
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
Last modified on 2018-10-18