KuCoin Bug Bounty Program Launched
Overview
Dear Users, to ensure a secure trading environment for users as it continues to expand, we are mobilizing the expertise of the community to maximize the security of www.kucoin.com. We have established a bug and security feedback reward mechanism on July 26, 2022 to provide security experts with incentives for security advice and vulnerability analysis.
Rules
Rewards are divided into four tiers, depending on their severity. Each tier has different rewards (in USD).
Extreme | 1,000,000 USD |
Critical | 50,000 - 100,000 USD |
High | 2,000 - 49,999 USD |
Medium | 500 - 1,999 USD |
Low | 50 - 499 USD |
If we accept your bug/vulnerability report, we will pay you the USDT as your rewards.
Please note that the threat level will be determined by KuCoin security staff, and that KuCoin has the sole discretion on deciding whether report meets the reward criteria.
Scope of Vulnerabilities
The modules within the scope of reporting are as follows:
Target | Type |
*.kucoin.com | Web |
KuCoin Mobile Application for Android | Android |
KuCoin Mobile Application for iOS | iOS |
The modules not within the scope of reporting are as follows:
Target | Type |
cert.kucoin.com | Web |
Zendesk | Web |
SandBox | Web |
KuCoin store | Web |
API docs | Web |
intro.kucoin.com | Web |
passport.kucoin.com | Web |
sandbox-*.kucoin.com | Web |
*-sdb.kucoin.com | Web |
*-sandbox.kucoin.com | Web |
Criteria
We are mostly interested in the following vulnerabilities:
- Web Module
- Problems with business logic that may result in the loss of user assets.
- Payment manipulation.
- Remote code execution (RCE).
- Leakage of sensitive information.
- Critical Owasp issues such as XSS, CSRF, SQL, SSRF, IDOR, and others.
- Other vulnerabilities that may result in potential loss.
- Mobile Module
- Functions that can access unsafe external links.
Jsbridge/javascritptinterface
that can be called to harm users.- Other vulnerabilities that may result in potential loss.
The following security issues are not within scope.
- Web Module
- Theoretical loopholes that are not actually proven.
- Email verification code flaws, expired password reset links, and issues with password complexity policies.
- Records with invalid or missing sender information.
- Clickjacking and UI redirection with only minor security impact.
- Vulnerabilities in third-party applications.
- Zero-day exploits that are less than 30 days old.
- Social engineering, phishing, and other forms of deception.
- Denial of service (DOS) attacks.
- Email/phone number information enumeration (e.g. resetting passwords to verify emails or phone numbers).
- Data leaks with minor security impact (e.g. stack tracing, path exposure, directory listing, and log information).
- Known issues, duplicate submissions, or security issues that have already been disclosed.
- Physical attacks.
- XSS for PCs.
- Vulnerabilities that can only be exploited on older versions of browsers or platforms.
- Vulnerabilities in auto-filling web forms.
- Using known codebase vulnerabilities without actual proof.
- Lack of security flags in cookies.
- Issues related to insecure SSL/TLS socket or protocol versions.
- Content-based deception.
- Issues related to cache management.
- Internal IP or domain name leakages.
- Missing security headers that cannot be directly exploited.
- CSRF issues with negligible impact (such as add to favorites, add to cart, subscribe, etc.)
- Issues with no security impact.
- Assets that do not belong to KuCoin.
- Behavior that disrupts the normal operation of the business (DoS/DDoS).
- Issues with installation path permissions.
- Automated tools or scanned reports.
- Links to invalid or expired pages will only be accepted if you can prove that the currently submitted link is still in normal use. Issues found through past announcements or blogs will not be accepted.
- Mobile Module
- Vulnerabilities that require Root/Jailbreak permissions.
- Physical vulnerabilities that require manipulation of the user's device.
- Vulnerabilities that require a lot of user interaction.
- Issues that only expose non-sensitive device information.
- Only static analysis is performed on binary files with missing POC business logic.
- Lack of fuzzing, binary protection, or root (jailbreak) detection.
- Bypassing of device certificate detection.
- Missing Exp such as PIE, ARC, or stack exploits.
- Leakage of sensitive information in TLS-protected URLs or Requests.
- Binary path leaks.
- Hardcoded OAuth and APP keys present in APK and IPA.
- Scan reports for automated tools.
- Information leakage caused by sensitive information being stored in clear text in the user device.
- Crashes caused by sending malformed URL Schemes or components to receivers such as external Activity/Service/Broadcast (the leakage of sensitive data obtained by exploiting these schemes is within the scope of acceptable vulnerabilities).
- Shared link leaks via clipboard.
- API key leaks with no security implications (such as Google Map API keys).
- Other content outlined in the out of scope Web Module vulnerabilities.
Report Evaluation Criteria
P0 1,000,000 USD:
Vulnerabilities that affect critical assets that could cause serious business disruption such as: Access to KuCoin owned hot/cold wallet assets,funds, and/or wallet private keys.
P1 50,000 - 100,000 USD:
Vulnerabilities that could compromise the security of any user or business funds, including:Direct access to the system or core business.
- Other potential for significant damage.
P2 2,000 - 49,999 USD:
Vulnerabilities with similar impact as P1, but with the preconditions of exploitation and the impact of malicious exploitation, including:
- Unauthorized access.
- Serious SQL injections.
- High-risk data leaks.
P3 500 - 1,999 USD:
- Issues that affect certain users, result in the access and modification of user information, etc.
P4 50 - 499 USD:
- SMS spam.
- Leakage of non-sensitive information.
Feedback Channel
You can provide us with feedback through the following channels.
- Submit a report to us via Hacken at: https://hackenproof.com/kucoin/kucoin
Event Statement
- It is strictly forbidden to use penetration testing as an excuse to exploit vulnerabilities and threat intelligence to damage the interests of users, affect normal business operations, or steal user data.
- Modification of the KuCoin database or destruction of data through the use of identified bugs or vulnerabilities is strictly prohibited.
- Automated testing using scanning tools is strictly prohibited.
- Testing on accounts other than those you own is strictly prohibited.
- Kucoin.com reserves the right to the final interpretation of the event.
About Us
Founded in September 2017, KuCoin is a global cryptocurrency exchange. As a user-oriented platform focused on inclusivity and the community, we offer over 700 digital assets. KuCoin provides spot trading, margin trading, P2P trading, futures trading, and equity and lending to 18+ million users across 207 countries and regions.