Kraken

Kraken
Security Labs

Kraken is the most secure digital asset exchange because we live and breathe security – in fact, we have multiple world-class teams dedicated to testing our products and services. 

 

However secure we might be, though, we know our success is linked to the success of others within the cryptocurrency community.

Kraken Security Labs

Kraken
Security Labs

That’s why we created Kraken Security Labs, an elite team of security researchers that aims to protect and grow the cryptocurrency ecosystem by:

Beaker

Testing common third-party products and services

Tools

Trabajar con proveedores para solucionar esos problemas

Loudspeaker

Informar al público acerca de las maneras que mejor pueden protegerse a sí mismos.

A Commitment to Responsible Disclosure

When a security researcher finds a vulnerability, the best practice is to contact the vendor so the vendor can fix the issue.

 

While simple in theory, many issues can arise in practice:

 

¿Qué pasa si el proveedor afectado no responde?

 

Tal vez el proveedor no quiera reconocer el problema o no tenga un programa de recompensa por errores.

 

 

¿Cuánto tiempo se le debe dar al proveedor para solucionar el problema?

 

Algunos problemas de seguridad no son fáciles de solucionar y los proveedores a menudo quieren priorizar las nuevas funciones en lugar de solucionar los problemas.

 

 

Should the researcher disclose the issue to the public and, if so, when?

 

Every white-hat hacker worries the issue they’ve found is already known and being exploited by the bad guys. Every moment a vendor hasn’t released a fix is a moment that the public is in the dark and isn’t armed with the knowledge to protect themselves. Public disclosure is the only leverage researchers have to pressure a vendor to fix the issue.

Kraken Security Labs

Simply put, disclosing vulnerabilities responsibly means something different to everyone – it’s inherently difficult to balance the needs of vendors and users.  

 

We strongly believe it’s essential for research teams like us to partner with vendors to fix issues in their products and disclose them to the public.

 

In pursuit of that goal, Kraken Security Labs has disclosed and worked with vendors to fix issues across a wide range of cryptocurrency products and services. The details of our vulnerability disclosure policy are published here

Cryptocurrency Hardware Wallets

We don’t think you should store all of your funds on any exchange, including ours. 

 

That’s why we regularly purchase and test products that provide customers with the ability to store and self-custody their crypto assets. 

 

We’ve published issues and advisories for the following products:

Cryptocurrency Services

At Kraken, we encourage all our clients to test and verify any cryptocurrency service they might decide to trust with their funds or data.

 

We’ve published issues and advisories for the following services: 

Our Disclosure Philosophy

Hearing conflicting reports about a Kraken Security Labs disclosure? 

 

Know it’s common for vendors and researchers to disagree on the severity of an issue. 

 

Put simply, researchers want their work to have maximum impact, while vendors typically want to downplay the extent of the issue. 

 

 

Interpreting Severity

 

Security vulnerabilities are typically given a severity range from Low to Critical, but not all vulnerabilities disclosed by Kraken Security Labs or other researchers will be Critical. 

 

Still, we believe it is crucial these faults be exposed.

 

Even a handful of low, medium and high severity vulnerabilities might be used by an attacker in a coordinated way to result in a big impact to the target device.

Compounding Benefits

 

Releasing these findings can power additional work. 

 

It’s common for security researchers to build upon the work of others, to release issues that should be fixed but don’t allow full compromise and to release research that the vendor doesn’t immediately think is worth fixing. 

 

Because of this, it would not be responsible for a security researcher to remain quiet because they did not find an issue of Critical severity. 

 

We strive to put out disclosures that are as understandable and transparent as possible to the public, so that you can make informed choices as to the severity of the issue.

Follow Us!

Para seguir de cerca nuestro trabajo y estar actualizado con nuestros anuncios, guarde en sus favoritos nuestro blog oficial o ingrese su email para suscribirse y recibir notificaciones de nuevas publicaciones por email.