KuCoin: Program Info

IN-SCOPE VULNERABILITIES - WEB

We are mostly interested in the following vulnerabilities:

• Business logic issues that can cause a loss of user funds/assets
• Payments manipulation
• Remote code execution (RCE)
• Leakage of sensitive information
• Owasp Top issues such as XSS, CSRF,SQLi,SSRF,IDOR
• Other vulnerability with a clear potential loss

IN-SCOPE VULNERABILITIES - MOBILE

• Mobile issues that can view any external website through unsafe deeplink method without any limit.
• Mobile issues that can use Jsbridge/javascritptinterface attack users.
• Other vulnerability with a clear potential loss

OUT OF SCOPE - WEB

• Theoretical vulnerabilities without actual proof of concept
• Community Broken Link Hijacking
• Email verification deficiencies, expiration of password reset links, and password complexity policies
• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
• Clickjacking/UI redressing with minimal security impact
• Vulnerabilities in third-party applications
• Recently (less than 30 days) disclosed 0day vulnerabilities
• Social engineering, phishing, physical, or other fraud activities
• Denial of service
• Email or mobile enumeration (E.g. the ability to identify emails via password reset)
• Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
• Internally known issues, duplicate issues, or issues which have already been made public
• Tab-nabbing
• Phishing attack
• Self-XSS
• Vulnerabilities only exploitable on out-of-date browsers or platforms
• Vulnerabilities related to auto-fill web forms
• Use of known vulnerable libraries without actual proof of concept
• Lack of security flags in cookies
• Issues related to unsafe SSL/TLS cipher suites or protocol version
• Content spoofing
• Cache-control related issues
• Exposure of internal IP address or domains
• Missing security headers that do not lead to direct exploitation
• CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
• Issues that have no security impact (E.g. Failure to load a web page)
• Assets that do not belong to KuCoin
• Any activity (like DoS/DDoS) that disrupts our services
• Installation Path Permissions
• Reports from automated tools or scans
• Links to invalid/expired pages (Only valid if you can demonstrate an actual takeover of an official KuCoin social media account linked to on every page, not just specific past announcements/blog posts)

OUT OF SCOPE - MOBILE

• Vulnerabilities that require root/jailbreak
• Vulnerabilities that require physical access to a user's device
• Vulnerabilities requiring extensive user interaction
• Exposure of non-sensitive data on the device
• Reports from static analysis of the binary without PoC that impacts business logic
• Lack of obfuscation/binary protection/root(jailbreak) detection
• Bypass certificate pinning on rooted devices
• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
• Sensitive data in URLs/request bodies when protected by TLS
• Path disclosure in the binary
• OAuth & app secret hard-coded/recoverable in IPA, APK
• Reports from automated tools or scans
• Sensitive information retained as plaintext in the device’s memory
• Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
• Any kind of sensitive data stored in-app private directory
• Runtime hacking exploits using tools like but not limited to Frida, Xposed,Appmon (exploits only possible in a jailbroken environment)
• Shared links leaked through the system clipboard
• Exposure of API keys with no security impact (Google Maps API keys etc.)
• Everything included in the OUT OF SCOPE - WEB section

More Details about KuCoin's Vulnerability Bounty

Extreme(1000000$):

    Vulnerabilities   that is especially serious or of great influence

Critical (50000 - 100000$ + additional bounty varies ):

    1. The RCE of the Staking node

    2. Vulnerabilities can access to the core business of the system directly has the potential to do great harm

High Risk (2000 - 49999$):

    1. Leakage of sensitive user information (greater than 15%)

    2. User 2FA bypass

    3. Unauthorized access, serious SQL injection

Medium risk（500 - 1999$）:

    1. Affect the use of some users and access, modify user information

    2. Leakage of sensitive user information (3% -15%)

    3. Due to the security class vulnerability caused more than 1000 users of the normal transaction

Low Risk (50-499$):

    1. Text message bombs, non-sensitive information leaks, etc.

    2. Server security is compromised due to a configuration leak.

    3. Leakage of sensitive user information (less than 3%)

More About KuCoin threat intelligence bounty scope (For threat hunter bounty)

Critical (5000 – 10000$ additional bounty varies):

    1. The intrusion intelligence of the core system can provide key information such as intrusion event traceability analysis and the attacker's identity. 

    2. Information that can have a significant impact on KuCoin's revenue (such as large-scale wool harvesting, serious payment risk information, etc.). 

    3. Threat organization activity intelligence that has an extremely significant impact on core products, and can provide threat organization traceability information. 

    4. Large-scale sensitive information leakage (such as user kyc credentials), provide leaked data and track the cause of the leak.

High Risk (1500 – 5000 $)

    1. Intrusion intelligence of non-core systems can provide key information such as intrusion event traceability analysis and attacker identities.

    2. Relevant information that has a greater direct impact on KuCoin's business revenue

    3. Threat activity intelligence that can have a greater impact on KuCoin products, and can provide threat organization traceability information.

    4.Medium-scale sensitive information leakage (such as user login credentials), provide leaked data and trace the cause of the leak.

Medium Risk （300 - 500 $）

    1. New attack methods and technologies that can help improve the risk control system for high-risk and above-level hazards

    2. Threat activity intelligence that can have a certain impact on KuCoin revenue

    3. Small-scale sensitive information leakage (such as user login credentials), provide leaked data and track the cause of the leak

Low Risk ( 50$-150)

    Intelligence that has only a slight impact on KuCoin's business revenue

Out of scope (0$)

1. Information that cannot be investigated and utilized based on the information provided and that does not constitute actual harm

2. Known, disclosed or invalid information

3. Individual cases, unable to provide proof of scale