Certification

CyberSecurity Score (CSS)_

The CyberSecurity Score is a combination of server security, user security, preventive security and historical hack cases.

• AAA>9,5
• AA>9
• A>8,5
• BBB>8
• BB>7,5
• B>7
• CCC>6,5
• CC>6
• C>5,5
• D<5

The CyberSecurity Score calculates as a sum of factors

• 1.75

  Server security

• 1.75

  User security

• 2.5

  Penetration test

• 2.5

  Bug bounty

• 1

  ISO 27001

• 0.5

  Funds insurance

• Server Security

  • SSL TLS
  • WAF CDN
  • DNS SEC
  • SPF
  • Open ports
  • Http security headers
  • Spam db
  • Cookie security flags

• User Security

  • 2-factor auth
  • Captcha
  • Password Requirements
  • Device management
  • Anti-phishing code
  • Withdrawal whitelist
  • Previous hack cases

• Preventive security

  • BugBounty
  • Penetration test
  • ISO 27001
  • Funds Insurance

Penetration Test_

Penetration testing, also known as Ethical hacking is a critical tool for analyzing the security of IT systems. The objective of a penetration testing is to identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components by simulated attacks in a controlled environment carried out by third-party security specialists who employ the same techniques as attackers located outside the system infrastructure.

Penetration tests submitted for certification should meet generally recognizedrequirements

Proof of Funds_

Another important criterion to be certified is the proof of funds as claimed by cryptocurrency exchanges. Insolvent exchanges can lead to massive damages to users, especially when withdrawals exceed the available funds on the exchange. To combat this, CER requires exchanges to:

• 

  Identifiable Wallets

  All wallet addresses owned by the cryptocurrency exchange must be publicly disclosed and provable on blockchain explorers.

• 

  Minimum Funding Limit

  Certification of cryptocurrency exchanges will only be conducted for exchanges with a wallet balance of more than $1 million USD (in ETH and BTC terms).

Bug Bounty_

The fourth component of certification is a Live Bug Bounty program, which is an activity aimed at finding vulnerabilities by leveraging the power of the ethical hackers’ community. A pool of thousands of individuals with varied skills and backgrounds produces robust results and thanks to continual testing, crypto exchanges can improve the quality of their infrastructures by eliminating high-frequency functional bugs before they can do significant damage.
Self-hosted bug bounty programs are evaluated twice less than third-party managed (1.25 from 2.5 points). Currently, we dont provide a certificate for self-hosted programs.
A self-hosted bug bounty program may be evaluated as third-party managed if the platform provides a review from a well-known third-party auditor company.