BugHunters — Bug Bounty Platform
    Back to Programs
    Kraken

    Kraken

    Crypto/DeFi

    One of the oldest and most trusted cryptocurrency exchanges, known for strong security practices and wide asset support.

    https://kraken.com

    Max Reward

    $100,000

    Total Paid

    $2,900,000

    Resolved

    234

    Avg Response

    2 days

    In-Scope Assets

    kraken.com

    Exchange platform and trading terminal

    Kraken API

    REST and WebSocket APIs

    Kraken Pro

    Advanced trading interface

    Kraken Wallet

    Self-custody wallet application

    Out of Scope

    • Kraken NFT marketplace (beta)
    • Educational content
    • Marketing pages

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    KRK-001Withdrawal address whitelist bypass via API parameter pollution
    Critical
    Open
    		$25,000–$100,0000
    KRK-002Information disclosure in verbose trading error messages
    Low
    Resolved
    		$200–$5003

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.