Critical severity issues present a direct and immediate risk to a broad array of our users or to Kraken itself. They often affect relatively low-level /foundational components in one of our application stacks or infrastructure. For example:
- arbitrary code/command execution on a server in our production network.
- arbitrary queries on a production database.
- bypassing our sign-in process, either password or 2FA.
- access to sensitive production user data or access to internal production systems.
High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:
- XSS which bypasses CSP
- Discovering sensitive user data in a publicly exposed resource
- Gaining access to a non-critical, system to which an end user account should not have access
Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:
- Disclosing non-sensitive information from a production system to which the user should not have access
- XSS that does not bypass CSP or does not execute sensitive actions in another user’s session
- CSRF for low risk actions
Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:
- Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.
Reports in which we are not interested include:
- Vulnerabilities on sites hosted by third parties (support.kraken.com, etc) unless they lead to a vulnerability on the main website. Vulnerabilities and bugs on the Kraken blog (blog.kraken.com)
- Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities affecting outdated or unpatched browsers.
- Vulnerabilities in third party applications that make use of Kraken's API.
- Vulnerabilities publicly disclosed in third party libraries or technology used in Kraken products, services, or infrastructure earlier than 30 days after the public disclosure of the issue
- Vulnerabilities that have been released publicly prior to Kraken issuing a comprehensive fix.
- Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter). Issues that aren't reproducible.
- Vulnerabilities that require an improbable level of user interaction.
- Vulnerabilities that require root/jailbreak on mobile.
- Missing security headers without proof of exploitability.
- TLS Cipher Suites offered.
- Suggestions on best practices.
- Software version disclosure.
- Any report without an accompanying proof of concept exploit.
- Issues that we can't reasonably be expected to do anything about, such as issues in technical specifications that Kraken must implement to conform to those standards.
- The output from automated tools/scanners.
- Issues without any security impact.
You can let us know about non-security issues at https://support.kraken.com.