Get Bitcoin 
for finding security bugs

Founded in 2011, Kraken Digital Asset Exchange is one of the world’s largest and oldest bitcoin exchanges with the widest selection of digital assets and national currencies. Based in San Francisco with offices around the world, Kraken’s trading platform is consistently rated the best and most secure digital asset exchange by independent news media. Trusted by hundreds of thousands of traders, institutions, and authorities, including Germany’s BaFin regulated Fidor Bank, Kraken is the first exchange to display its market data on the Bloomberg Terminal, pass a cryptographically verifiable proof-of-reserves audit, and the first to offer spot trading with margin. Kraken investors include Blockchain Capital, Digital Currency Group, Hummingbird Ventures and Money Partners Group.

Kraken strongly believes in the value of security professionals and developers assisting in keeping our products and users safe. Kraken has established and encourages coordinated vulnerability disclosure (CVD) via our Bug Bounty Program. The Bug Bounty program serves the Kraken mission by helping protect customers in the digital currency market.

Kraken agrees not to initiate legal action for security research performed following all posted Kraken Bug Bounty policies, including good faith, accidental violations. Please avoid deliberate privacy violations by creating test accounts whenever possible. Should you encounter personally identifiable information or other sensitive data for accounts you do not have express written consent of the account owner to use to validate your findings, please stop accessing that data immediately, and report the issue to Kraken with a description of the data, not the data itself. Please do not store or transmit other users’ data, and please destroy all copies of data that is not yours that you accidentally or deliberately captured during the course of your research. If you are reporting a data breach or the location of a data repository instead of a security vulnerability, please supply the location of the data and do not access it further, nor share the location of the data with others.

A bug bounty submission can never contain threats or any attempts at extortion. We are open to paying bounties for legitimate findings, however ransom demands are not eligible for payment. We may be required by law to report any bug bounty submission that contains ransom demands.

We believe activities conducted consistent with this policy constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and applicable anti-hacking laws such as Cal. Penal Code 503(c). We will not bring a claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program. However, following this policy does not mean that Kraken nor any other individual organization or government can grant immunity from global laws. It is the responsibility of individual security researchers to understand and comply with all applicable local and international laws regarding anti-hacking, data and privacy, and export controls. If a third party brings legal action against you and you were following the terms in this policy, Kraken will inform the pertinent law enforcement agencies or civil plaintiffs that your research activities were, to the best of our knowledge, conducted pursuant to, and in compliance, with the terms and conditions of this program. 

It is required that each researcher submit a notification to us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We welcome suggestions for policy clarifications that help researchers conduct their research and reporting with confidence.

All bounty submissions are rated by Kraken and paid out based on vulnerability rating. All payouts will proceed in BTC and are defined as a guideline and subject to change.

• All bug reports must be submitted to [email protected]
• To receive bug bounty payments, you must register at the Intermediate level and provide documentation for verification. See also: https://support.kraken.com/hc/en-us/articles/360000672203-Document-requirements-for-verification
• Asking for payment in exchange for vulnerability details will result in immediate ineligibility of bounty payments. 
• If we cannot reproduce your findings, your report will not be eligible for payout. We ask you to provide as detailed a report as possible with all steps necessary to reproduce your findings. 
• Include your Bitcoin (BTC) Address for Payment. All rewards will be issued in Bitcoin.
• Payment minimums are defined below. All payments may be modified at Kraken's discretion.
• The minimum payout is Bitcoin (BTC)  equivalent of $500 USD.

Rewards Update:

Effective June 1, 2022 all researchers must create and have an ACTIVE Kraken account that is verified at the intermediate level to facilitate all reward payouts. 

Verification Levels: https://support.kraken.com/hc/en-us/articles/360001395743-Verification-levels-explained

Create an Account: https://www.kraken.com/sign-up

• 84 reports rewarded in the last year
• 1127 reports submitted in the last year
• $998 average payout in the last year

See below some of the researchers who have been previously rewarded through Kraken's Bug Bounty program.

Critical

Critical severity issues present a direct and immediate risk to a broad array of our users or to Kraken itself. They often affect relatively low-level /foundational components in one of our application stacks or infrastructure. For example:

• arbitrary code/command execution on a server in our production network.
• arbitrary queries on a production database.
• bypassing our sign-in process, either password or 2FA.
• access to sensitive production user data or access to internal production systems.

High

High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:

• XSS which bypasses CSP
• Discovering sensitive user data in a publicly exposed resource
• Gaining access to a non-critical, system to which an end user account should not have access

Medium

Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:

• Disclosing non-sensitive information from a production system to which the user should not have access
• XSS that does not bypass CSP or does not execute sensitive actions in another user’s session
• CSRF for low risk actions

Low

Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:

• Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.

Ineligibility

Reports in which we are not interested include:

• Vulnerabilities on sites hosted by third parties (support.kraken.com, etc) unless they lead to a vulnerability on the main website. Vulnerabilities and bugs on the Kraken blog (blog.kraken.com)
• Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
• Vulnerabilities affecting outdated or unpatched browsers.
• Vulnerabilities in third party applications that make use of Kraken's API.
• Vulnerabilities publicly disclosed in third party libraries or technology used in Kraken products, services, or infrastructure earlier than 30 days after the public disclosure of the issue
• Vulnerabilities that have been released publicly prior to Kraken issuing a comprehensive fix.
• Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter). Issues that aren't reproducible.
• Vulnerabilities that require an improbable level of user interaction.
• Vulnerabilities that require root/jailbreak on mobile.
• Missing security headers without proof of exploitability.
• TLS Cipher Suites offered.
• Suggestions on best practices.
• Software version disclosure.
• Any report without an accompanying proof of concept exploit.
• Issues that we can't reasonably be expected to do anything about, such as issues in technical specifications that Kraken must implement to conform to those standards.
• The output from automated tools/scanners.
• Issues without any security impact.

Non-security Issues

You can let us know about non-security issues at https://support.kraken.com.