Kraken

漏洞报告奖励

通过检举漏洞

获取比特币 

关于

Kraken数字资产交易所成立于2011年,是全球规模最大,历史最悠久的比特币交易所之一,拥有最多的数字资产和本国货币供选择。 Kraken位于旧金山,在世界各地都设有办公地点。独立的新闻媒体一直将Kraken的交易平台评为最佳和最安全的数字资产交易平台。 Kraken受到包括德国BaFin监管的Fidor银行在内的数十万交易人,机构和当局的信任,是第一家在彭博终端上显示其市场数据,通过可加密验证的储量证明审计的交易所,并且首个提供保证金现货交易的交易平台。 Kraken的投资者包括Blockchain Capital,Digital Currency Group,Hummingbird Ventures和Money Partners Group。

政策

Kraken坚信安全专家和开发人员的价值,他们可以协助确保我们的产品和用户安全。Kraken建立并鼓励在我们的漏洞赏金计划中以负责任的方式来披露所有的安全漏洞。漏洞赏金计划将帮助我们成为数字货币市场上最受信任的公司,来满足Kraken的使命。

Kraken同意不对所有发布的Kraken漏洞赏金政策(包括善意,意外侵权)采取的安全措施提起法律诉讼。我们认为,根据《计算机欺诈和滥用法案》,《数字千年版权法案(DMCA)》以及适用的反黑客法律(例如Cal),与该政策一致进行的活动构成“授权”行为。刑法典503(c)。我们不会因研究人员绕过我们在漏洞赏金计划范围内保护我们的应用程序所采取的技术措施而提出索赔。

在从事可能与政策不一致或未解决的行为之前,要求每个研究人员提交使用通知。

Rewards

All bounty submissions are rated by Kraken and paid out based on vulnerability rating. All payouts will proceed in BTC and are defined as a guideline and subject to change.

  • All bug reports must be submitted to [email protected]
  • To receive bug bounty payments, you must register at the Intermediate level and provide documentation for verification. See also: https://support.kraken.com/hc/en-us/articles/360000672203-Document-requirements-for-verification
  • Asking for payment in exchange for vulnerability details will result in immediate ineligibility of bounty payments. 
  • If we cannot reproduce your findings, your report will not be eligible for payout. We ask you to provide as detailed a report as possible with all steps necessary to reproduce your findings. 
  • Include your Bitcoin (BTC) Address for Payment. All rewards will be issued in Bitcoin.
  • Payment minimums are defined below. All payments may be modified at Kraken's discretion.
  • The minimum payout is Bitcoin (BTC)  equivalent of $500 USD.
Payout ScaleSeverityRange
 Low Severity$500-$1000
 Medium Severity$2000-$3000
 High Severity$10,000-$20,000
 Critical Severity$100,000+

Rewards Update:

Effective June 1, 2022 all researchers must create and have an ACTIVE Kraken account that is verified at the intermediate level to facilitate all reward payouts. 

Verification Levels: https://support.kraken.com/hc/en-us/articles/360001395743-Verification-levels-explained

Create an Account: https://www.kraken.com/sign-up

Program Statistics

  • 84 reports rewarded in the last year
  • 1127 reports submitted in the last year
  • $998 average payout in the last year

Wall of Fame

See below some of the researchers who have been previously rewarded through Kraken's Bug Bounty program.

Wall of FameResearcherAmount Rewarded
InducteesDevendra Hyalij - Twitter$53,600
 UGWST - Twitter$30,000
 Redacted*$20.000
 Md Al Nafis Aqil Haque$11,000
 Redacted*$10,000
 Sunil Yeda - Twitter$9,500
 Md Al Nafis Aqil Haque$8,500
 Ranjeet Kumar Singh - Twitter, LinkedIn$6,000
 Redacted*$3,800
 Gal Nagli - Twitter, LinkedIn$3,500
 
*Researchers name withheld at their request
 
This information is updated quarterly.

Vulnerability Ratings

Critical

Critical severity issues present a direct and immediate risk to a broad array of our users or to Kraken itself. They often affect relatively low-level /foundational components in one of our application stacks or infrastructure. For example:

  • arbitrary code/command execution on a server in our production network.
  • arbitrary queries on a production database.
  • bypassing our sign-in process, either password or 2FA.
  • access to sensitive production user data or access to internal production systems.

 

High

High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:

  • XSS which bypasses CSP
  • Discovering sensitive user data in a publicly exposed resource
  • Gaining access to a non-critical, system to which an end user account should not have access

 

Medium

Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:

  • Disclosing non-sensitive information from a production system to which the user should not have access
  • XSS that does not bypass CSP or does not execute sensitive actions in another user’s session
  • CSRF for low risk actions

 

Low

Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:

  • Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.

 

Ineligibility

Reports in which we are not interested include:

  • Vulnerabilities on sites hosted by third parties (support.kraken.com, etc) unless they lead to a vulnerability on the main website. Vulnerabilities and bugs on the Kraken blog (blog.kraken.com)
  • Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers.
  • Vulnerabilities in third party applications that make use of Kraken's API.
  • Vulnerabilities publicly disclosed in third party libraries or technology used in Kraken products, services, or infrastructure earlier than 30 days after the public disclosure of the issue
  • Vulnerabilities that have been released publicly prior to Kraken issuing a comprehensive fix.
  • Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter). Issues that aren't reproducible.
  • Vulnerabilities that require an improbable level of user interaction.
  • Vulnerabilities that require root/jailbreak on mobile.
  • Missing security headers without proof of exploitability.
  • TLS Cipher Suites offered.
  • Suggestions on best practices.
  • Software version disclosure.
  • Any report without an accompanying proof of concept exploit.
  • Issues that we can't reasonably be expected to do anything about, such as issues in technical specifications that Kraken must implement to conform to those standards.
  • The output from automated tools/scanners.
  • Issues without any security impact.

 

Non-security Issues

You can let us know about non-security issues at https://support.kraken.com.