Kraken Bug Bounty program patches isolated bug
As part of our ongoing commitment to enhance the overall security of the crypto ecosystem, we’re informing the crypto community that we have patched an isolated bug in our deposit and funding systems. No client assets were impacted or vulnerable leading up to this disclosure. Kraken has fixed the bug.
The bug was initially discovered by a third-party security research company who had exploited the flaw for financial gain before reporting it to Kraken’s Bug Bounty program. This flaw allowed certain users, for a short period of time, to artificially increase the value of their Kraken account balance without fully completing a deposit.
On discovery, a cross-functional effort at Kraken mitigated the issue in less than an hour. We then thoroughly tested the solution to guard against similar issues in the future.
Unfortunately, the third-party researchers that discovered the bug acted in bad faith and outside the rules of our established Bug Bounty program, which has been in operation for nearly a decade. Bug bounty program industry best practices generally involve careful collaboration between both parties, with security researchers expected to:
- Exploit only what is needed to prove a security vulnerability
- Promptly return assets that have been extracted
- Provide details of testing, such as proof-of-concept code, that allows the company to assist with the identification and remediation of the underlying flaw
We won’t be crediting the researcher of this disclosure because they didn’t comply with any of these industry expectations.
In return for bug bounty reports, developers like Kraken are expected to be attentive, patch the underlying issue quickly and publicly recognize the incredible work of the researcher. Most importantly, they’re also expected to reward the researcher with a generous bounty. We actively moved to hold up our side of this deal.
Security research is nothing new for Kraken, which has deep roots in the info-sec industry. Our Kraken Security Labs team has a track record of discovering and reporting security vulnerabilities to other crypto vendors, including Ledger and Trezor, to help them improve their products.
We understand the value that external security research can bring and how it can enhance the broader ecosystem. There’s simply no better way to secure all users on the crypto frontier than to work collaboratively.
“As a leader with roots in the hacking community, I can attest to the importance of leveraging the skills, knowledge and expertise across the security community to enhance companies’ security strategies and risk management controls,” said Nick Percoco, Kraken Chief Security Officer.
We see our Bug Bounty program as a vital shield to Kraken’s mission and a key part of our efforts to enhance our overall security systems and processes. We have worked with many talented, good faith security researchers over the years, and look forward to continuing this work in the future.