Bug bounty
Triaged by HackenProof

Kuna Crypto Exchange: Program info

Kuna Crypto Exchange

Company: Kuna
This program is active now
Program infoHackers (306)

The first public crypto exchange, which launched the development of basic infrastructure for the innovative finteсh-projects both in Ukraine and in foreign markets. TOP cryptocurrencies and tokens, high level of security and reliability, user-friendly interface, advanced API and respectful customer support round the clock.

In scope
TargetTypeSeverityReward
admin.kunapay.io
  • Admin panel KunaPay
Web
Critical
Bounty
dashboard.kunapay.io
  • Merchant front KunaPay
Web
Critical
Bounty
api.kunapay.io
  • API KunaPay
API
Critical
Bounty
kuna.io
  • Main KunaPro web platform
Web
Critical
Bounty
api.kuna.io
  • API KunaPro
API
High
Bounty
https://apps.apple.com/ua/app/kuna-io-покупка-продажа-btc/id1457062155?l=ru
  • iOS mobile app
iOS
High
Bounty
https://play.google.com/store/apps/details?id=kuna.beta
  • Android mobile app
Android
High
Bounty
money.kuna.io
Web
Low
Reputation
Target
admin.kunapay.io
  • Admin panel KunaPay
TypeWeb
Severity
Critical
RewardBounty
Target
dashboard.kunapay.io
  • Merchant front KunaPay
TypeWeb
Severity
Critical
RewardBounty
Target
api.kunapay.io
  • API KunaPay
TypeAPI
Severity
Critical
RewardBounty
Target
kuna.io
  • Main KunaPro web platform
TypeWeb
Severity
Critical
RewardBounty
Target
api.kuna.io
  • API KunaPro
TypeAPI
Severity
High
RewardBounty
Target
https://apps.apple.com/ua/app/kuna-io-покупка-продажа-btc/id1457062155?l=ru
  • iOS mobile app
TypeiOS
Severity
High
RewardBounty
Target
https://play.google.com/store/apps/details?id=kuna.beta
  • Android mobile app
TypeAndroid
Severity
High
RewardBounty
Target
money.kuna.io
TypeWeb
Severity
Low
RewardReputation
Out of scope
TargetTypeSeverityReward
eos.kuna.io
  • Hosted by third party
Web
None
Bounty
investors.kuna.io
  • Hosted by third party
Web
None
Bounty
*.kuna.io
Web
None
Bounty
Target
eos.kuna.io
  • Hosted by third party
TypeWeb
Severity
None
RewardBounty
Target
investors.kuna.io
  • Hosted by third party
TypeWeb
Severity
None
RewardBounty
Target
*.kuna.io
TypeWeb
Severity
None
RewardBounty

Focus Area

In-Scope Vulnerabilities


  • Remote Code Execution which leads to exchange's money access – 5 000 $
  • Significant manipulation of account balance – 2 500 $
  • XSS/CSRF/Clickjacking affecting sensitive actions with clear PoC and significant impact [1] – 2 500 $
  • Theft of privileged information [2] – 1 500 $
  • Partial authentication bypass – 500 $
  • Other XSS (excluding Self-XSS) – 500 $
  • Other vulnerability with clear potential for financial or data loss – 500 $
  • Other CSRF (excluding logout CSRF) – 125 $

[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions whish lead to stealing user's money

[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent

In some cases, we may reward other best practice or defense in depth reports at our own discretion. All services provided by KUNA Exchange are eligible for our bug bounty program, including the API and Exchange. In general, anything which has the potential for financial loss or data breach is of sufficient severity.

Out-of-Scope Vulnerabilities


  • UI and UX bugs and spelling or localization mistakes.
  • Vulnerabilities in third-party applications
  • Session issues
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
  • Publicly accessible login panels without proof of exploitation.
  • Reports that state that software is out of date/vulnerable without a proof of concept.
  • Host header issues without proof-of-concept demonstrating the vulnerability.
  • HTTP codes/pages or other HTTP non- codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
  • Any CSRF
  • Application Error Disclosure
  • User enumeration
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
  • OPTIONS HTTP method enabled
  • Lack of Security Speed bump when leaving the site.
  • Weak Captcha
  • Content injection issues.
  • HTTPS Mixed Content Scripts
  • Content Spoofing without embedded links/html
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • Reflected File Download (RFD).
  • Best practices concerns.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Missing HTTP security headers, specifically, For e.g.
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • Host Header
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
  • Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL related issues
  • DNS issues (i.e. mx records, SPF records, DMARC records, etc.)
  • Server configuration issues (i.e., open ports, TLS, etc.)
  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
  • Vulnerabilities involving active content such as web browser add-ons
  • XSS issues that affect only outdated browsers (like Internet Explorer)
  • Issues that require physical access to a victim’s computer.
  • Physical or social engineering attempts (this includes phishing attacks against employees).
  • Recently disclosed 0day vulnerabilities.
  • Microsites with little to no user data
  • Most brute forcing issues
  • Denial of service
  • Spamming

Program Rules

  • Avoid compromising any personal data, interruption or degradation of any service .
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • Only the first valid bug is eligible for reward.
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • Don’t break any law and stay in the defined scope.
  • Comply with the rules of the program.
  • The rewards will be paid out in HKN based on the current price.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.

Responsible disclosure includes:

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Making a good faith effort to not leak or destroy any KUNA Exchange user data.
  • Not defrauding KUNA Exchange users or KUNA itself in the process of discovery.
Rewards
Range of bounty$0 - $0
Severity
Critical
$0
High
$0
Medium
$0
Low
$0
Stats
Total rewards$10,698
Submissions469
Types
Webapps
Platforms
IOSAndroid
Project types
CEX
Hackers (306) View all
Pieter H
3
Aplis Hackerwala
4
『Jarvis』ʰᵃᶜᵏᵉʳᵐᵃᶰ  
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response1d
Triage Time2d
Reward Time2d
Resolution Time5d