Vulnerability report

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Personal Capital security team. Sunshine Conversations relies on the Bugcrowd Vulnerability Rating Taxonomy for prioritisation of findings- but reserves the right to either downgrade or upgrade findings’ severity based on the criticality of their underlying risk to Sunshine Conversations. We ask that you do not share or publicise any vulnerabilities submitted via this form. We appreciate your discretion and support.



Web app


Sunshine Conversations Web SDK
Sunshine Conversations Android SDK
Sunshine Conversations iOS SDK

Out of scope


If you believe you have found any security vulnerability in the products or services of Sunshine Conversations, you are welcome to submit a vulnerability report on our platform. In order to file a security vulnerability, please note that you must include the following information:
  • For web vulnerabilities, the URL where the vulnerability was identified
  • A detailed description with screenshots if necessary
  • Versions of web components related to the vulnerability (browser, OS, app version, etc.)
  • SDK versions, if applicable
  • Steps to reproduce the vulnerability
  • Your suggestion to fix the vulnerability
  • Any other information that you believe is useful

Target information

Please use our latest SDK and API versions when performing your tests All vulnerabilities discovered and reported on other targets (including subdomains or older version of SDKs/API) will be accepted, but are not eligible for a reward at this time. These submissions will be marked "Not Applicable" to prevent negative ratings.
  • Sunshine Conversations Web app -
  • Sunshine Conversations API -
  • Sunshine Conversations SDKs - Android, iOS and Web messenger

Prohibited Testing

  • Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure.
  • Do NOT perform any attack that could harm our services (E.g.: DDoS/Spam)
  • Do NOT attack, in any way, our end users, or engage in trade of stolen user credentials.
  • Do NOT use automated scanners and tools to find vulnerabilities.
  • Do NOT Perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team.
  • You may investigate or target vulnerabilities against your own or test accounts, but testing must not disrupt or compromise any data or data access that is not yours.


This program requires explicit permission to disclose the results of a submission.

This program follows Bugcrowd’s standard disclosure terms.

This program only offers point-based rewards for P4-P5 findings. Learn more about Bugcrowd’s VRT.

Report a Security Vulnerability