Kraken strongly believes in the value of security professionals and developers assisting in keeping our products and users safe. Kraken has established and encourages coordinated vulnerability disclosure (CVD) via our Bug Bounty Program. The Bug Bounty program serves the Kraken mission by helping protect customers in the digital currency market.
By looking for bugs in Kraken systems, you agree to keep all data, information about vulnerabilities, your research, and communications with Kraken strictly confidential until Kraken has addressed the issue and granted permission for disclosure.
Where the requirements of this Policy are complied with, Kraken agrees not to initiate legal action for security research performed following all posted Kraken Bug Bounty policies, including good faith, accidental violations.
Please avoid deliberate privacy violations by creating test accounts whenever possible. Should you encounter personally identifiable information (‘PII’) or other sensitive data for accounts you do not have express written consent of the account owner to use to validate your findings, please stop accessing that data immediately, and report the issue to Kraken with a description of the PII or other sensitive data, not the data itself.
In alignment with data protection regulations and our privacy policies, you must:
- Not store or transmit other clients’ PII. If you should happen to capture any client PII, report it to Kraken immediately and then destroy all copies of PII that are not yours.
- Minimize data collection and access during your research. Only collect and retain information absolutely necessary to demonstrate and report the vulnerability.
- Immediately and securely delete all collected data once the report is submitted and Kraken has confirmed that it has received it.
- Not disclose any vulnerabilities or associated information to third parties without Kraken's express written consent. This includes but is not limited to social media, other companies, or the press.
- If you are reporting a data breach or the location of a data repository instead of a security vulnerability, please supply the location of the data and do not access it further, nor share the location of the data with others.
A bug bounty submission must never contain threats or any attempts at extortion. We are open to paying bounties for legitimate findings, however ransom demands are not eligible for payment. For example, not releasing information about the vulnerability or otherwise hindering the ability to resolve the vulnerability until other demands are met will be deemed a ransom demand. We may be required by law or voluntarily decide to report to authorities any bug bounty submission that contains ransom demands.
We believe activities conducted consistent with this policy constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and applicable anti-hacking laws such as Cal. Penal Code 503(c). We will not bring a claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program. However, following this policy does not mean that Kraken nor any other individual organization or government can grant immunity from global laws. It is the responsibility of individual security researchers to understand and comply with all applicable local and international laws regarding anti-hacking, data and privacy, and export controls. If a third party brings legal action against you and you were following the terms in this policy, Kraken will inform the pertinent law enforcement agencies or civil plaintiffs that your research activities were, to the best of our knowledge, conducted pursuant to, and in compliance, with the terms and conditions of this program.
It is required that each researcher submit a notification to us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We welcome suggestions for policy clarifications that help researchers conduct their research and reporting with confidence.