KUNA Bug Bounty ProgramSecurity is our first priority - that’s why we decide to run Bug Bounty program and will pay a money for finding vulnerabilities.
Responsible DisclosureResponsible disclosure includes:
- Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
- Making a good faith effort to not leak or destroy any KUNA Exchange user data.
- Not defrauding KUNA Exchange users or KUNA itself in the process of discovery.
RewardsThere is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found. Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.
We use the following table as a guideline for determining reward amounts:
Remote Code Execution – $5,000
Significant manipulation of account balance – $2,500
XSS/CSRF/Clickjacking affecting sensitive actions  – $2,500
Theft of privileged information  – $1,500
Partial authentication bypass – $500
Other XSS (excluding Self-XSS) – $500
Other vulnerability with clear potential for financial or data loss – $500
Other CSRF (excluding logout CSRF) – $125
In some cases, we may reward other best practice or defense in depth reports at our own discretion.
 Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions
 Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent
EligibilityAll services provided by KUNA Exchange are eligible for our bug bounty program, including the API and Exchange. In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:
- Authentication bypass or privilege escalation
- Click jacking
- Remote code execution
- Obtaining user information
- Accounting errors
- Denial of service
- Vulnerabilities in third party applications which make use of the KUNA API
- Vulnerabilities which involve privileged access to a victim's device(s)
- Logout CSRF
- User existence/enumeration vulnerabilities
- Password complexity requirements
- Reports from automated tools or scans (without accompanying demonstration of exploitability)
- Social engineering attacks against KUNA Exchange employees or contractors
- Any other service not directly hosted or controlled by KUNA.