Kraken

보안취약점 신고제

보안취약점을 신고해서 비트코인을 
받으세요

보안취약점 신고제

2011년에 설립된 이래, 크라켄 디지털 자산 거래소는 전 세계에서 가장 크고 오래된 비트코인 거래소로서 가장 넓은 디지털 자산 및 국가 통화 선택지를 제공하고 있습니다. 샌프란시스코에 본사를 두고 전 세계로 뻗어나가며, 크라켄의 거래 플랫폼은 독립 뉴스 미디어로부터 지속적으로 가장 안전한 최고의 디지털 자산 거래소로 평가되어 왔습니다. 독일 연방금융감독청(BaFin)이 규제하는 Fidor Bank를 포함하여 수십만 명의 거래자, 기관 및 당국이 신뢰하는 Kraken은 블룸버그 터미널에 시장 데이터를 표시하고 암호화로 검증 가능한 보유고 증명 감사를 통과한 최초의 거래소입니다. 그뿐만 아니라 크라켄은 마진으로 현물 거래를 최초로 제공한 거래소이기도 합니다. 크라켄의 투자 기관에는 블록체인 캐피탈(Blockchain Capital, 디지털 통화 그룹(Digital Currency Group), 허밍버드 벤처스(Hummingbird Ventures), 머니 파트너스 그룹(Money Partners Group) 등이 있습니다.

정책

크라켄은 저희의 제품과 사용자를 안전하게 지키는 보안 전문가와 개발자의 가치를 굳건하게 믿습니다. 크라켄은 보안 취약점 신고제(Bug Bounty)를 통해 모든 보안상의 약점들을 책임감 있게 밝혀낼 수 있도록 격려해왔습니다. 보안 취약점 신고제를 통해 저희는 디지털 통화 시장에서 가장 신뢰받는 회사로 자리매김하고자 하는 크라켄의 미션을 성공적으로 이행하고 있습니다.

크라켄은 선의 및 우발적 침입을 포함하여 게시된 크라켄의 모든 보안 취약점 신고제 정책에 따라 수행된 보안 연구에 대해 법적 조치를 취하지 않을 것에 동의합니다. 본 정책에 따라 수행되는 활동은 컴퓨터 사기 및 남용에 관한 법, DMCA 및 캘리포니아 형법 제503조 등 관련 해킹 방지법에 근거하여 "승인된" 행위로 간주됩니다. 저희는 보안 취약점 신고제 프로그램의 범위 내에서 저희의 기술적인 응용 프로그램 보호 조치들을 우회한 연구원에게 어떤 청구도 제기하지 않습니다.

연구자는 정책적으로 부합하지 않거나 논의되지 않은 행위를 수행하기에 앞서, 이를 알리기 위해 사용할 알림을 제출해야 합니다.

Rewards

All bounty submissions are rated by Kraken and paid out based on vulnerability rating. All payouts will proceed in BTC and are defined as a guideline and subject to change.

  • All bug reports must be submitted to bugbounty@kraken.com
  • Asking for payment in exchange for vulnerability details will result in immediate ineligibility of bounty payments. 
  • If we cannot reproduce your findings, your report will not be eligible for payout. We ask you to provide as detailed a report as possible with all steps necessary to reproduce your findings. 
  • Include your Bitcoin (BTC) Address for Payment. All rewards will be issued in Bitcoin.
  • The minimum payout is Bitcoin (BTC) equivalent of $500 USD.

Program Statistics

  • 39 reports rewarded in the last year
  • $805 average payout in the last year

Wall of Fame

See below some of the researchers who have been previously rewarded through Kraken's Bug Bounty program.

Wall of FameResearcherAmount Rewarded
InducteesSunil Yeda - Twitter$6,400
 Gal Nagli - Twitter, LinkedIn$3,500
 Ranjeet Kumar Singh - Twitter, LinkedIn$2,900
This information is updated monthly.

Vulnerability Ratings

Critical

Critical severity issues present a direct and immediate risk to a broad array of our users or to Kraken itself. They often affect relatively low-level /foundational components in one of our application stacks or infrastructure. For example:

  • arbitrary code/command execution on a server in our production network.
  • arbitrary queries on a production database.
  • bypassing our sign-in process, either password or 2FA.
  • access to sensitive production user data or access to internal production systems.

 

High

High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:

  • XSS which bypasses CSP
  • Discovering sensitive user data in a publicly exposed resource
  • Gaining access to a non-critical, system to which an end user account should not have access

 

Medium

Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:

  • Disclosing non-sensitive information from a production system to which the user should not have access
  • XSS that does not bypass CSP or does not execute sensitive actions in another user’s session
  • CSRF for low risk actions

 

Low

Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:

  • Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.

 

Ineligibility

Reports in which we are not interested include:

  • Vulnerabilities on sites hosted by third parties (support.kraken.com, etc) unless they lead to a vulnerability on the main website. Vulnerabilities and bugs on the Kraken blog (blog.kraken.com)
  • Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers.
  • Vulnerabilities in third party applications that make use of Kraken's API.
  • Vulnerabilities that have not been responsibly investigated and reported.
  • Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter). Issues that aren't reproducible.
  • Vulnerabilities that require an improbable level of user interaction.
  • Vulnerabilities that require root/jailbreak on mobile.
  • Missing security headers without proof of exploitability.
  • TLS Cipher Suites offered.
  • Suggestions on best practices.
  • Software version disclosure.
  • Any report without an accompanying proof of concept exploit.
  • Issues that we can't reasonably be expected to do anything about.
  • The output from automated tools/scanners.
  • Issues without any security impact.

 

Non-security Issues

You can let us know about non-security issues at https://support.kraken.com.