Kucoin

Triaged by HackenProof
Kucoin

KuCoin is a global cryptocurrency exchange for numerous digital assets and cryptocurrencies. Launched in September 2017, KuCoin has grown into one of the most popular crypto exchanges and already has over 8 million registered users across 207 countries and regions around the world.

In Scope

Target Type Severity Reward
Kucoin Mobile Application for Android

https://www.kucoin.com/download

Android Critical Bounty
Kucoin Mobile Application for iOS

https://www.kucoin.com/download

iOS Critical Bounty
*.kucoin.com
Web Critical Bounty

Out of scope

Target Type Severity
Web None
Web None
Web None
Web None
intro.kucoin.com
Web None
cert.kucoin.com
Web None
passport.kucoin.com
Web None
SandBox

sandbox-*.kucoin.com

Web None
SandBox

*-sdb.kucoin.com

Web None
SandBox

*-sandbox.kucoin.com

Web None

IN-SCOPE VULNERABILITIES - WEB

We are mostly interested in the following vulnerabilities:

  • Business logic issues that can cause a loss of user funds/assets
  • Payments manipulation
  • Remote code execution (RCE)
  • Leakage of sensitive information
  • Owasp Top issues such as XSS, CSRF,SQLi,SSRF,IDOR
  • Other vulnerability with a clear potential loss

IN-SCOPE VULNERABILITIES - MOBILE

  • Mobile issues that can view any external website through unsafe deeplink method without any limit.
  • Mobile issues that can use Jsbridge/javascritptinterface attack users.
  • Other vulnerability with a clear potential loss

OUT OF SCOPE - WEB

  • Theoretical vulnerabilities without actual proof of concept
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
  • Clickjacking/UI redressing with minimal security impact
  • Vulnerabilities in third-party applications
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Social engineering, phishing, physical, or other fraud activities
  • Denial of service
  • Email or mobile enumeration (E.g. the ability to identify emails via password reset)
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Tab-nabbing
  • Phishing attack
  • Self-XSS
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities related to auto-fill web forms
  • Use of known vulnerable libraries without actual proof of concept
  • Lack of security flags in cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing
  • Cache-control related issues
  • Exposure of internal IP address or domains
  • Missing security headers that do not lead to direct exploitation
  • CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
  • Issues that have no security impact (E.g. Failure to load a web page)
  • Assets that do not belong to Kucoin
  • Any activity (like DoS/DDoS) that disrupts our services
  • Installation Path Permissions
  • Reports from automated tools or scans
  • Links to invalid/expired pages (Only valid if you can demonstrate an actual takeover of an official Kucoin social media account linked to on every page, not just specific past announcements/blog posts)

OUT OF SCOPE - MOBILE

  • Vulnerabilities that require root/jailbreak
  • Vulnerabilities that require physical access to a user's device
  • Vulnerabilities requiring extensive user interaction
  • Exposure of non-sensitive data on the device
  • Reports from static analysis of the binary without PoC that impacts business logic
  • Lack of obfuscation/binary protection/root(jailbreak) detection
  • Bypass certificate pinning on rooted devices
  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • Path disclosure in the binary
  • OAuth & app secret hard-coded/recoverable in IPA, APK
  • Reports from automated tools or scans
  • Sensitive information retained as plaintext in the device’s memory
  • Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in-app private directory
  • Runtime hacking exploits using tools like but not limited to Frida, Xposed,Appmon (exploits only possible in a jailbroken environment)
  • Shared links leaked through the system clipboard
  • Exposure of API keys with no security impact (Google Maps API keys etc.)
  • Everything included in the OUT OF SCOPE - WEB section

In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Kucoin that harms Kucoin or Kucoin customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.

A report must be a valid, in scope report in order to qualify for a bounty. Kucoin awards bounties based on severity of the vulnerability. We determine severity based on severity. For example:

  • P1 3000 - 5000 USD e.g : direct accesses to system privilege or core business, with potential significant damage.
  • P2 900 - 2000 USD e.g: unauthorized access, severe SQL injection, high-risky info leakage.
  • P3 300 - 500 USD e.g: affecting the use and access of a portion of our users, modifying user information, etc
  • P4 50 - 150 USD e.g: text message bomb, non-sensitive information leakage,etc

In order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Kucoin uses the severity of a report to place the report into one of the following tiers.

The payouts listed next to each tier are ranges of bounties for the tier. Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports. Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.