KuCoin Bug Bounty Program
To eliminate the system vulnerabilities and further improve the exchange functions and services of KuCoin 2.0, KuCoin is going to launch a bug bounty program to all cybersecurity researchers.

We will be contacting you through email and verify the vulnerability after we received your reports. The rewards will be paid out in KCS and once your submission is accepted, KuCoin will issue the rewards to your KuCoin account. To receive the payment, we suggest you to create a KuCoin account. Please note that the KCS rewards we issued is of equivalent value of the rewarded US dollars amount and the price of the KCS is based on the actual price you received.

Notice: Only reports with detailed description of the vulnerability and complete working proof of concept are qualified for the rewards.

To ensure that every researcher’s finding is rewarded fairly, therefore, for reporters making reports on severe issues or issues that has extreme impact on business, KuCoin would make additional rewards for the them.

If you have any questions or concerns related to the program, please feel free to contact us: snd_security@kucoin.com

Email address *
1. Targets
Applicable Scope:

-*.KuCoin.com
-*.kcs.top
-KCS wallet


Inapplicable Scope:

-support.KuCoin.com
-sandbox.KuCoin.com

2. Reward Range
Level of Severity and Reward Range

P1: $2500.00-$10,000.00 equal valued KCS

-Vulnerabilities that undermine users’ assets security
-Vulnerabilities that bypass the applications or procedures under normal trading logic
-Vulnerabilities that could remotely access basic information and authentication information of users.
-Vulnerabilities that lead to illegal acquisition of KCS
-Vulnerabilities that leak the unencrypted private keys and key seed of users


P2: $300 - $2500 equal valued KCS

-Vulnerabilities that lead to high-risk information leakage
-Vulnerabilities that cause KuCoin to be unable to respond to the API requests of users.


P3: $75.00–$300.00 equal valued KCS

-Vulnerabilities that lead to the leakage of part of the users’ info through interaction or financial fraud
-Vulnerabilities that cause KuCoin to be unable to respond to users’ requests from web or mobile sides.


P4: $10.00–$75.00 equal valued KCS

-Vulnerabilities due to product design defects but have no effect on the security of users’ assets.
-Vulnerabilities that affect the stability or availability of the Web wallet

3. Prohibited Actions
-Testing the system through accounts that are not yours
-Using tools such as scanners for automated testing
-Taking excessive request attempts
-Destruction of data
4. Reports Not Qualified for the Rewards
The following issues are not qualified for the reward:

-Theoretical vulnerabilities without actual proof of the concept
-Email verification defects, expiration of password reset links, and password complexity policies
-Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
-Clickjacking/UI redressing with minimal security impact
-Email or mobile enumeration (e.g.: the ability to identify emails through password resetting)
-Information leakage with minimal security impact (e.g: stack traces, path disclosure, directory listings, logs)
-Internally known issues, recurring issues, or issues already published
-Tabnabbing
-Self-XSS
-Vulnerabilities only applicable on outdated versions of browsers or platforms
-Vulnerabilities related to auto-fill web forms
-Use of vulnerable libraries already known without actual proof of concept
-Lack of security flags in cookies
-Issues related to unsafe SSL/TLS cipher suites or protocol version
-Content spoofing
-Issues related to cache control
-Vulnerabilities exposing internal IP addresses or domains
-Lack of security headers that do not lead to direct exploitation
-CSRF with negligible security impact (e.g.: added to favorites, and subscribe non-vital features)
-Vulnerabilities that require root/jailbreak
-Vulnerabilities that require physical access to the device of users
-Issues with no security impact (e.g.: failure to load a web page)
-Assets not belonging to KuCoin
-Phishing (e.g.: HTTP basic authentication phishing)

5. Terms & Conditions
-KuCoin reserves the rights to the final explanation of the bounty program and retains the discretion to cancel or modify the rewards or bounty rules.

-The reviewing of the reports will take approximately 1-2 weeks.

-KuCoin will issue KCS rewards to your KuCoin account in two weeks after a vulnerability report is approved and verified. You may check the rewards at “Assets>My Bonus>Other Rewards”.

-The rewards will be paid out in KCS. For reports about exceptional vulnerabilities, KuCoin will provide additional rewards to the reporters.

-Only the first verified vulnerability report will receive the reward. Similar reports will not be rewarded.

-Security researchers conducting or inciting others to conduct malicious attacks to the core or common systems of -KuCoin will be deprived of the qualification for the reward.

-For researchers stealing the private data or asset information of KuCoin users, or that otherwise pose a great threat to personal or asset security of users, KuCoin will pursue relevant legal responsibilities to the violators.

Click "Next" button to submit report
Next
Never submit passwords through Google Forms.
This form was created inside of PhoenixFin Pte. Ltd.. - Terms of Service