Kuna Crypto Exchange: Program Info

Triaged by HackenProof

The first public crypto exchange, which launched the development of basic infrastructure for the innovative finteсh-projects both in Ukraine and in foreign markets. TOP cryptocurrencies and tokens, high level of security and reliability, user-friendly interface, advanced API and respectful customer support round the clock.

In Scope

Target Type Severity Reward
  • Admin panel KunaPay
Web Critical Bounty
  • Merchant front KunaPay
Web Critical Bounty
  • API KunaPay
API Critical Bounty
  • Main KunaPro web platform
Web Critical Bounty
  • API KunaPro
API High Bounty
  • iOS mobile app
iOS High Bounty
  • Android mobile app
Android High Bounty
Web Low Reputation

Out of scope

Target Type Severity
  • Hosted by third party
Web None
  • Hosted by third party
Web None
Web None

In-Scope Vulnerabilities

  • Remote Code Execution which leads to exchange's money access – 5 000 $
  • Significant manipulation of account balance – 2 500 $
  • XSS/CSRF/Clickjacking affecting sensitive actions with clear PoC and significant impact [1] – 2 500 $
  • Theft of privileged information [2] – 1 500 $
  • Partial authentication bypass – 500 $
  • Other XSS (excluding Self-XSS) – 500 $
  • Other vulnerability with clear potential for financial or data loss – 500 $
  • Other CSRF (excluding logout CSRF) – 125 $

[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions whish lead to stealing user's money

[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent

In some cases, we may reward other best practice or defense in depth reports at our own discretion. All services provided by KUNA Exchange are eligible for our bug bounty program, including the API and Exchange. In general, anything which has the potential for financial loss or data breach is of sufficient severity.

Out-of-Scope Vulnerabilities

  • UI and UX bugs and spelling or localization mistakes.
  • Vulnerabilities in third-party applications
  • Session issues
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
  • Publicly accessible login panels without proof of exploitation.
  • Reports that state that software is out of date/vulnerable without a proof of concept.
  • Host header issues without proof-of-concept demonstrating the vulnerability.
  • HTTP codes/pages or other HTTP non- codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
  • Any CSRF
  • Application Error Disclosure
  • User enumeration
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
  • OPTIONS HTTP method enabled
  • Lack of Security Speed bump when leaving the site.
  • Weak Captcha
  • Content injection issues.
  • HTTPS Mixed Content Scripts
  • Content Spoofing without embedded links/html
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • Reflected File Download (RFD).
  • Best practices concerns.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Missing HTTP security headers, specifically, For e.g.
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • Host Header
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
  • Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL related issues
  • DNS issues (i.e. mx records, SPF records, DMARC records, etc.)
  • Server configuration issues (i.e., open ports, TLS, etc.)
  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
  • Vulnerabilities involving active content such as web browser add-ons
  • XSS issues that affect only outdated browsers (like Internet Explorer)
  • Issues that require physical access to a victim’s computer.
  • Physical or social engineering attempts (this includes phishing attacks against employees).
  • Recently disclosed 0day vulnerabilities.
  • Microsites with little to no user data
  • Most brute forcing issues
  • Denial of service
  • Spamming
  • Avoid compromising any personal data, interruption or degradation of any service .
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • Only the first valid bug is eligible for reward.
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • Don’t break any law and stay in the defined scope.
  • Comply with the rules of the program.
  • The rewards will be paid out in HKN based on the current price.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.

Responsible disclosure includes:

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Making a good faith effort to not leak or destroy any KUNA Exchange user data.
  • Not defrauding KUNA Exchange users or KUNA itself in the process of discovery.