Security at Wealthfront

We believe that privately notifying vendors about vulnerabilities in their software, and setting reasonable disclosure deadlines in accordance with the severity of the bugs, is good for the overall security of Internet users.

If you believe you have found a security vulnerability on Wealthfront, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page including Permitted Security Research and issues that should not be reported.

Permitted Security Research

When investigating a vulnerability only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to other clients or to Wealthfront. You are also prohibited from:

  • Executing or attempting to execute any denial of service attack
  • Knowingly posting, transmitting, uploading, linking to, sending or storing any malicious software
  • Testing in a manner that would degrade the operation of the Service

Ineligible Reports and False Positives

Please do not report the following issues, as they are known issues or false positives:

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited
  • Clickjacking vulnerabilities
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Self-XSS
  • Attacks requiring MITM or physical access to a user's device
  • Previously known vulnerable libraries without demonstrated impact
  • Missing best practices in SSL/TLS configuration
  • Denial of Service (DoS) attacks
  • Missing best practices in Content Security Policy
  • Missing HttpOnly or Secure flags on cookies
  • Leaked passwords or breached credentials (i.e. credential breach dumps)

Reporting

If you are a Wealthfront client and have a security issue to report regarding your account, please visit our contact page. This includes password problems, login issues, spam reports, phishing reports, suspected fraud, and account abuse or security incidents.

If you believe you have discovered a vulnerability in a Wealthfront service, please use the form below to report. Please do not publicly disclose these details without express written consent from Wealthfront.