KUNA Bug Bounty Program

  Security is our first priority - that’s why we decide to run Bug Bounty program and will pay a money for finding vulnerabilities.  

Responsible Disclosure

Responsible disclosure includes:
  1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  2. Making a good faith effort to not leak or destroy any KUNA Exchange user data.
  3. Not defrauding KUNA Exchange users or KUNA itself in the process of discovery.
In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.  

Rewards

There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found. Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

We use the following table as a guideline for determining reward amounts:
                 
 Remote Code Execution – $5,000
 Significant manipulation of account balance – $2,500
 XSS/CSRF/Clickjacking affecting sensitive actions [1] – $2,500
 Theft of privileged information [2] – $1,500
 Partial authentication bypass – $500
 Other XSS (excluding Self-XSS) – $500
 Other vulnerability with clear potential for financial or data loss – $500
 Other CSRF (excluding logout CSRF) – $125
 
In some cases, we may reward other best practice or defense in depth reports at our own discretion.


[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions
[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent  

Eligibility

All services provided by KUNA Exchange are eligible for our bug bounty program, including the API and Exchange. In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:
  • XSS
  • CSRF
  • Authentication bypass or privilege escalation
  • Click jacking
  • Remote code execution
  • Obtaining user information
  • Accounting errors
  In general, the following would not meet the threshold for severity:
  • Self-XSS
  • Denial of service
  • Spamming
  • Vulnerabilities in third party applications which make use of the KUNA API
  • Vulnerabilities which involve privileged access to a victim's device(s)
  • Logout CSRF
  • User existence/enumeration vulnerabilities
  • Password complexity requirements
  • Reports from automated tools or scans (without accompanying demonstration of exploitability)
  • Social engineering attacks against KUNA Exchange employees or contractors
  The following domains are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):
  • support.kuna.io
  • investors.kuna.io
  • eos.kuna.io
  • Any other service not directly hosted or controlled by KUNA.
  KUNA Exchange will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award. Bounty will be given in BTC to your KUNA Exchange account. By submitting a bug, you agree to be bound by the above rules.  

How To Disclose

Please submit your report via HackenProof platform:

https://hackenproof.com/kuna/kuna-crypto-exchange

Thank you for helping keep the bitcoin community safe!