Security/System and App Security

API Security

API Security Protocols

KuCoin has established detailed security protocols for API connections, authentication, data protection, input/output validation, and rate limiting.

API Keys and Account Segregation

API keys and secret keys are displayed only once when the API is created within the account. After that, users cannot view the created API keys and secret keys through their account. Even if a user's API key and account are compromised, isolation measures ensure the security of the user's API.

API Permissions Management

KuCoin implements permission segregation for user KPIs, including general, spot trading, margin, and futures permissions. Different permission levels correspond to different operations, preventing cross-permission actions. To change permissions, users must first log into their accounts, ensuring the security of their funds.

API Validity Management

When a user's API remains unused for an extended period, it will be deactivated by the platform. To reactivate the API, the user must log into their account. Deactivating the API will not affect the funds in their account.

API Whitelisted IP Management

When users create an API or access the API management page, withdrawals can only be made from the user’s IP address and specified withdrawal addresses. This effectively reduces the risk of a security breach in the event an API key is leaked or lost.

System Security

Comprehensive Security Baselines

KuCoin adopts industry standards and best practices, combined with our own security strategies and platform features. This approach establishes secure baselines for servers and endpoints, ensuring that only necessary services are enabled.

Security Scanning

Our regular security scans aim to detect and promptly address vulnerabilities. 1. Configuration Scans: Regular scans of system configurations ensure compliance with security standards and best practices. 2. Image Scans: Regular scans of standard images ensure timely rectification of vulnerabilities and the security of deployed images.

Container Security

Scans and checks are performed on container configurations and runtime environments. 1. Container Configuration: Configurations are regularly scanned to identify and address potential risks. 2. Runtime Security: Container runtime environments are continuously monitored to ensure they are free from malware and security vulnerabilities.

Host Security Protection Measures

Real-time security scanning and intrusion protection ensure the host is free from vulnerabilities and malware.

Secure Development

Frequent testing and assessments are conducted throughout the development lifecycle to secure our code, certificates, and communications. 1. Code Scanning: Static Vulnerability Assessments (SVA) and Dynamic Vulnerability Assessments (DVA) are done in conjunction with shift-left security practices. 2. SSL/TLS Certificate Management: Standardized and centralized full-lifecycle management to protect SSL/TLS certificates. 3. Data Transmission: User data is protected via the HTTPS protocol, which supports the most advanced security protocols and blocks weak cryptographic ciphers. 4. Security Bug Bounty Program: Rewards up to $1 million for quickly identifying and addressing security vulnerabilities.

App Security

1. Centralized SSL/TLS certificate lifecycle management 2. User data transmissions are protected via the HTTPS protocol, which supports the most advanced security protocols and blocks weak cryptographic ciphers 3. Security bug bounty program of up to $1 million