KuCoin: Program Info


Ended 41 days ago

KuCoin is a global cryptocurrency exchange for numerous digital assets and cryptocurrencies. Launched in September 2017, KuCoin has grown into one of the most popular crypto exchanges and already has over 8 million registered users across 207 countries and regions around the world.

In Scope

Target Type Severity Reward
KuCoin Mobile Application for Android


Android Critical Bounty
KuCoin Mobile Application for iOS


iOS Critical Bounty
Web Critical Bounty

Out of scope

Target Type Severity
Web None
Web None
Web None
Web None
Web None
Web None
Web None


Web None


Web None


Web None


We are mostly interested in the following vulnerabilities:

  • Business logic issues that can cause a loss of user funds/assets
  • Payments manipulation
  • Remote code execution (RCE)
  • Leakage of sensitive information
  • Owasp Top issues such as XSS, CSRF,SQLi,SSRF,IDOR
  • Other vulnerability with a clear potential loss


  • Mobile issues that can view any external website through unsafe deeplink method without any limit.
  • Mobile issues that can use Jsbridge/javascritptinterface attack users.
  • Other vulnerability with a clear potential loss


  • Theoretical vulnerabilities without actual proof of concept
  • Community Broken Link Hijacking
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
  • Clickjacking/UI redressing with minimal security impact
  • Vulnerabilities in third-party applications
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Social engineering, phishing, physical, or other fraud activities
  • Denial of service
  • Email or mobile enumeration (E.g. the ability to identify emails via password reset)
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Tab-nabbing
  • Phishing attack
  • Self-XSS
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities related to auto-fill web forms
  • Use of known vulnerable libraries without actual proof of concept
  • Lack of security flags in cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing
  • Cache-control related issues
  • Exposure of internal IP address or domains
  • Missing security headers that do not lead to direct exploitation
  • CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
  • Issues that have no security impact (E.g. Failure to load a web page)
  • Assets that do not belong to KuCoin
  • Any activity (like DoS/DDoS) that disrupts our services
  • Installation Path Permissions
  • Reports from automated tools or scans
  • Links to invalid/expired pages (Only valid if you can demonstrate an actual takeover of an official KuCoin social media account linked to on every page, not just specific past announcements/blog posts)


  • Vulnerabilities that require root/jailbreak
  • Vulnerabilities that require physical access to a user's device
  • Vulnerabilities requiring extensive user interaction
  • Exposure of non-sensitive data on the device
  • Reports from static analysis of the binary without PoC that impacts business logic
  • Lack of obfuscation/binary protection/root(jailbreak) detection
  • Bypass certificate pinning on rooted devices
  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • Path disclosure in the binary
  • OAuth & app secret hard-coded/recoverable in IPA, APK
  • Reports from automated tools or scans
  • Sensitive information retained as plaintext in the device’s memory
  • Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in-app private directory
  • Runtime hacking exploits using tools like but not limited to Frida, Xposed,Appmon (exploits only possible in a jailbroken environment)
  • Shared links leaked through the system clipboard
  • Exposure of API keys with no security impact (Google Maps API keys etc.)
  • Everything included in the OUT OF SCOPE - WEB section

More Details about KuCoin's Vulnerability Bounty


    Vulnerabilities   that is especially serious or of great influence

Critical (50000 - 100000$ + additional bounty varies ):

    1. The RCE of the Staking node

    2. Vulnerabilities can access to the core business of the system directly has the potential to do great harm

High Risk (2000 - 49999$):

    1. Leakage of sensitive user information (greater than 15%)

    2. User 2FA bypass

    3. Unauthorized access, serious SQL injection

Medium risk(500 - 1999$):

    1. Affect the use of some users and access, modify user information

    2. Leakage of sensitive user information (3% -15%)

    3. Due to the security class vulnerability caused more than 1000 users of the normal transaction

Low Risk (50-499$):

    1. Text message bombs, non-sensitive information leaks, etc.

    2. Server security is compromised due to a configuration leak.

    3. Leakage of sensitive user information (less than 3%)

More About KuCoin threat intelligence bounty scope (For threat hunter bounty)

Critical (5000 – 10000$ additional bounty varies):

    1. The intrusion intelligence of the core system can provide key information such as intrusion event traceability analysis and the attacker's identity. 

    2. Information that can have a significant impact on KuCoin's revenue (such as large-scale wool harvesting, serious payment risk information, etc.). 

    3. Threat organization activity intelligence that has an extremely significant impact on core products, and can provide threat organization traceability information. 

    4. Large-scale sensitive information leakage (such as user kyc credentials), provide leaked data and track the cause of the leak.

High Risk (1500 – 5000 $)

    1. Intrusion intelligence of non-core systems can provide key information such as intrusion event traceability analysis and attacker identities.

    2. Relevant information that has a greater direct impact on KuCoin's business revenue

    3. Threat activity intelligence that can have a greater impact on KuCoin products, and can provide threat organization traceability information.

    4.Medium-scale sensitive information leakage (such as user login credentials), provide leaked data and trace the cause of the leak.

Medium Risk (300 - 500 $)

    1. New attack methods and technologies that can help improve the risk control system for high-risk and above-level hazards

    2. Threat activity intelligence that can have a certain impact on KuCoin revenue

    3. Small-scale sensitive information leakage (such as user login credentials), provide leaked data and track the cause of the leak

Low Risk ( 50$-150)

    Intelligence that has only a slight impact on KuCoin's business revenue

Out of scope (0$)

1. Information that cannot be investigated and utilized based on the information provided and that does not constitute actual harm

2. Known, disclosed or invalid information

3. Individual cases, unable to provide proof of scale

In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Kucoin that harms Kucoin or Kucoin customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.

A report must be a valid, in scope report in order to qualify for a bounty. Kucoin awards bounties based on severity of the vulnerability. We determine severity based on severity. For example:

  • P1 50000-100000 USD e.g : direct accesses to system privilege or core business, with potential significant damage.
  • P2 2000 - 49000 USD e.g: unauthorized access, severe SQL injection, high-risky info leakage.
  • P3 500 - 1999 USD e.g: affecting the use and access of a portion of our users, modifying user information, etc
  • P4 50 - 499 USD e.g: text message bomb, non-sensitive information leakage,etc

In order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Kucoin uses the severity of a report to place the report into one of the following tiers.

The payouts listed next to each tier are ranges of bounties for the tier. Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.
Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.