Get Bitcoin 
for finding security bugs

Founded in 2011, Kraken Digital Asset Exchange is one of the world’s largest and oldest bitcoin exchanges with the widest selection of digital assets and national currencies. Based in San Francisco with offices around the world, Kraken’s trading platform is consistently rated the best and most secure digital asset exchange by independent news media. Trusted by hundreds of thousands of traders, institutions, and authorities, including Germany’s BaFin regulated Fidor Bank, Kraken is the first exchange to display its market data on the Bloomberg Terminal, pass a cryptographically verifiable proof-of-reserves audit, and the first to offer spot trading with margin. Kraken investors include Blockchain Capital, Digital Currency Group, Hummingbird Ventures and Money Partners Group.

Kraken strongly believes in the value of security professionals and developers assisting in keeping our products and users safe. Kraken has established and encourages the use of responsibly disclosing all security vulnerabilities in our Bug Bounty Program. The Bug Bounty program serves the Kraken mission by helping us be the most trusted company in the digital currency market.

Kraken agrees not to initiate legal action for security research performed following all posted Kraken Bug Bounty policies, including good faith, accidental violations. We believe activities conducted consistent with this policy constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 503(c). We will not bring a claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.

It is required that each researcher submit a notification to use before engaging in conduct that may be inconsistent with or unaddressed by policy.

All bounty submissions are rated by Kraken and paid out based on vulnerability rating. All payouts will proceed in BTC and are defined as a guideline and subject to change.

• All bug reports must be submitted to bugbounty@kraken.com
• Asking for payment in exchange for vulnerability details will result in immediate ineligibility of bounty payments. 
• If we cannot reproduce your findings, your report will not be eligible for payout. We ask you to provide as detailed a report as possible with all steps necessary to reproduce your findings. 
• Include your Bitcoin (BTC) Address for Payment. All rewards will be issued in Bitcoin.
• The minimum payout is Bitcoin (BTC) equivalent of $500 USD.

Critical

Critical severity issues present a direct and immediate risk to a broad array of our users or to Kraken itself. They often affect relatively low-level /foundational components in one of our application stacks or infrastructure. For example:

• arbitrary code/command execution on a server in our production network.
• arbitrary queries on a production database.
• bypassing our sign-in process, either password or 2FA.
• access to sensitive production user data or access to internal production systems.

 

High

High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:

• XSS which bypasses CSP
• Discovering sensitive user data in a publicly exposed resource
• Gaining access to a non-critical, system to which an end user account should not have access

 

Medium

Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:

• Disclosing non-sensitive information from a production system to which the user should not have access
• XSS that does not bypass CSP or does not execute sensitive actions in another user’s session
• CSRF for low risk actions

 

Low

Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:

• Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.

 

Ineligibility

Reports in which we are not interested include:

• Vulnerabilities on sites hosted by third parties (support.kraken.com, etc) unless they lead to a vulnerability on the main website. Vulnerabilities and bugs on the Kraken blog (blog.kraken.com)
• Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
• Vulnerabilities affecting outdated or unpatched browsers.
• Vulnerabilities in third party applications that make use of Kraken's API.
• Vulnerabilities that have not been responsibly investigated and reported.
• Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter). Issues that aren't reproducible.
• Vulnerabilities that require an improbable level of user interaction.
• Vulnerabilities that require root/jailbreak on mobile.
• Missing security headers without proof of exploitability.
• TLS Cipher Suites offered.
• Suggestions on best practices.
• Software version disclosure.
• Any report without an accompanying proof of concept exploit.
• Issues that we can't reasonably be expected to do anything about.
• The output from automated tools/scanners.
• Issues without any security impact.

 

Non-security Issues

You can let us know about non-security issues at https://support.kraken.com.