Kraken strongly believes in the value of security professionals and developers assisting in keeping our products and users safe. Kraken has established and encourages coordinated vulnerability disclosure (CVD) via our Bug Bounty Program. The Bug Bounty program serves the Kraken mission by helping protect customers in the digital currency market.
Kraken agrees not to initiate legal action for security research performed following all posted Kraken Bug Bounty policies, including good faith, accidental violations. Please avoid deliberate privacy violations by creating test accounts whenever possible. Should you encounter personally identifiable information or other sensitive data for accounts you do not have express written consent of the account owner to use to validate your findings, please stop accessing that data immediately, and report the issue to Kraken with a description of the data, not the data itself. Please do not store or transmit other users’ data, and please destroy all copies of data that is not yours that you accidentally or deliberately captured during the course of your research. If you are reporting a data breach or the location of a data repository instead of a security vulnerability, please supply the location of the data and do not access it further, nor share the location of the data with others.
A bug bounty submission can never contain threats or any attempts at extortion. We are open to paying bounties for legitimate findings, however ransom demands are not eligible for payment. We may be required by law to report any bug bounty submission that contains ransom demands.
We believe activities conducted consistent with this policy constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and applicable anti-hacking laws such as Cal. Penal Code 503(c). We will not bring a claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program. However, following this policy does not mean that Kraken nor any other individual organization or government can grant immunity from global laws. It is the responsibility of individual security researchers to understand and comply with all applicable local and international laws regarding anti-hacking, data and privacy, and export controls. If a third party brings legal action against you and you were following the terms in this policy, Kraken will inform the pertinent law enforcement agencies or civil plaintiffs that your research activities were, to the best of our knowledge, conducted pursuant to, and in compliance, with the terms and conditions of this program.
It is required that each researcher submit a notification to us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We welcome suggestions for policy clarifications that help researchers conduct their research and reporting with confidence.