Banner object (1)

Hack and Take the Cash !

634 bounties in database


Kuna crypto exchange



Security is our first priority - that’s why we decide to run Bug Bounty program and will pay a money for finding vulnerabilities.

Responsible Disclosure

Responsible disclosure includes:

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Making a good faith effort to not leak or destroy any KUNA Exchange user data.
  • Not defrauding KUNA Exchange users or KUNA itself in the process of discovery.

In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

The size of awards

The minimum payout is 96 HKN for reporting a new security vulnerability which results in a code or configuration change on our part.

There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found. Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

Only unknown validated vulnerabilities will be awarded.

KUNA uses the following table as a guideline for determining reward amounts:

  • Remote Code Execution – 9615 HKN
  • Significant manipulation of account balance – 4807 HKN
  • XSS/CSRF/Clickjacking affecting sensitive actions [1] – 4807 HKN
  • Theft of privileged information [2] – 2884 HKN
  • Partial authentication bypass – 961 HKN
  • Other XSS (excluding Self-XSS) – 961 HKN
  • Other vulnerability with clear potential for financial or data loss – 961 HKN
  • Other CSRF (excluding logout CSRF) – 240 HKN
  • Other best practice or defense in depth – 96 HKN

[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions
[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent


All services provided by KUNA Exchange ( are eligible for our bug bounty program, including the API and Exchange. In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

  • XSS
  • CSRF
  • Authentication bypass or privilege escalation
  • Click jacking
  • Remote code execution
  • Obtaining user information
  • Accounting errors


In general, the following would not meet the threshold for severity:

  • Self-XSS
  • Denial of service
  • Spamming
  • Vulnerabilities in third party applications which make use of the KUNA API
  • Vulnerabilities which involve privileged access to a victim's device(s)
  • Logout CSRF
  • User existence/enumeration vulnerabilities
  • Password complexity requirements
  • Reports from automated tools or scans (without accompanying demonstration of exploitability)
  • Social engineering attacks against KUNA Exchange employees or contractors

The following domains are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):


Any other service not directly hosted or controlled by KUNA.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018