To eliminate the system vulnerabilities and further improve the exchange functions and services of KuCoin 2.0, KuCoin is going to launch a bug bounty program to all cybersecurity researchers.
The Kucoin Team will be contacting you through email and verify the vulnerability after we received your reports. The rewards will be paid out in KCS and once your submission is accepted, KuCoin will issue the rewards to your KuCoin account. To receive the payment, we suggest you to create a KuCoin account. Please note that the KCS rewards we issued is of equivalent value of the rewarded US dollars amount and the price of the KCS is based on the actual price you received.
Notice: Only reports with detailed description of the vulnerability and complete working proof of concept are qualified for the rewards.
To ensure that every researcher’s finding is rewarded fairly, therefore, for reporters making reports on severe issues or issues that has extreme impact on business, KuCoin would make additional rewards for the them.
Applicable Scope:
Inapplicable Scope:
P1: $2500.00-$10,000.00 equal valued KCS
-Vulnerabilities that undermine users’ assets security
-Vulnerabilities that bypass the applications or procedures under normal trading logic
-Vulnerabilities that could remotely access basic information and authentication information of users.
-Vulnerabilities that lead to illegal acquisition of KCS
-Vulnerabilities that leak the unencrypted private keys and key seed of users
P2: $300 - $2500 equal valued KCS
-Vulnerabilities that lead to high-risk information leakage
-Vulnerabilities that cause KuCoin to be unable to respond to the API requests of users.
P3: $75.00–$300.00 equal valued KCS
-Vulnerabilities that lead to the leakage of part of the users’ info through interaction or financial fraud
-Vulnerabilities that cause KuCoin to be unable to respond to users’ requests from web or mobile sides.
P4: $10.00–$75.00 equal valued KCS
-Vulnerabilities due to product design defects but have no effect on the security of users’ assets.
-Vulnerabilities that affect the stability or availability of the Web wallet
-Theoretical vulnerabilities without actual proof of the concept
-Email verification defects, expiration of password reset links, and password complexity policies
-Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
-Clickjacking/UI redressing with minimal security impact
-Email or mobile enumeration (e.g.: the ability to identify emails through password resetting)
-Information leakage with minimal security impact (e.g: stack traces, path disclosure, directory listings, logs)
-Internally known issues, recurring issues, or issues already published
-Tabnabbing
-Self-XSS
-Vulnerabilities only applicable on outdated versions of browsers or platforms
-Vulnerabilities related to auto-fill web forms
-Use of vulnerable libraries already known without actual proof of concept
-Lack of security flags in cookies
-Issues related to unsafe SSL/TLS cipher suites or protocol version
-Content spoofing
-Issues related to cache control
-Vulnerabilities exposing internal IP addresses or domains
-Lack of security headers that do not lead to direct exploitation
-CSRF with negligible security impact (e.g.: added to favorites, and subscribe non-vital features)
-Vulnerabilities that require root/jailbreak
-Vulnerabilities that require physical access to the device of users
-Issues with no security impact (e.g.: failure to load a web page)
-Assets not belonging to KuCoin
-Phishing (e.g.: HTTP basic authentication phishing)