Main Page
Methodology
Cryptoexchanges Rating Methodology

Cryptoexchanges Rating Methodology

How the score is calculated?

Step 1

Points system

We assess each aspect of the project’s security following a rating system

Server Security
- SSL/TLS Certificate
  Ensures secure data transmission between user browsers and the exchange's servers by encrypting communications.
  - 10
    A+
  - 9
    A
  - 8
    A-
  - 6
    B
  - 5
    C
  - 3
    D
  - 2
    E
  - 1
    F
  - 0
    T or M
- WAF and CDN presence
  Protects against web-based threats while enhancing website performance and availability globally.
  - 10
    Yes
  - 0
    No
- SPF and DNSSEC Presence
  Validates email sources to prevent spoofing and secures DNS queries against tampering, respectively.
  - 5
    SPF Record Found
  - 5
    DNSSEC Setup Found
  - 0
    Neither is found
- HTTP Headers
  Utilize security directives in web communications to protect users from common vulnerabilities like cross-site scripting and clickjacking.
  - 10
    A
  - 8
    B
  - 6
    C
  - 4
    D
  - 2
    E
  - 0
    F
- Spam DB Presence
  Helps in identifying and filtering out potentially malicious sources by referencing databases of known spam sources.
  - 10
    0 blacklists
  - 5
    1-3 blacklists
  - 0
    3+ blacklists
- Cookie Flags
  Enhances web security by marking cookies with attributes that control their transmission and storage policies.
  - 5
    HTTP Only set
  - 3
    Secure set
  - 2
    SameSite set
  - 0
    Neither is found
User Security
- 2-factor Authentication
  Adds an extra layer of security by requiring a second form of verification beyond just a password.
  - 10
    Yes
  - 0
    No
- Password Requirements
  Ensures that user-created passwords meet specific complexity standards to resist brute-force and guessing attacks.
  - 3
    Length >= 8 characters
  - 1
    Length over 32 character
  - 2
    Digit
  - 2
    Uppercase
  - 2
    Special character
- Device Management
  Allows monitoring and management of devices accessing the exchange, enhancing control over potential security vulnerabilities.
  - 5
    List of current sessions
  - 5
    Terminate other session
- Anti-phishing Code
  A personalized code shown in emails from the exchange to users, verifying the authenticity of the communication.
  - 10
    Yes
  - 0
    No
- Withdrawal Whitelist
  Limits fund withdrawals to pre-approved addresses, significantly reducing the risk of unauthorized transfers.
  - 10
    Yes
  - 0
    No
- Captcha
  Protects against automated abuse and brute-force attacks by verifying user interactions are genuinely human.
  - 10
    Yes
  - 0
    No
Certifications
- ISO 27001
  An international standard that specifies requirements for an information security management system, ensuring best practices in security measures.
  - 10
    Yes
  - 0
    No
- CCSS
  A set of security standards specifically designed to secure cryptocurrency systems and protect against common threats like access control attacks.
  - 5
    Level 1
  - 10
    Level 2
  - 10
    Level 3
  - 0
    No
Bug Bounty
- Active Bug Bounty
  Encourages ethical hackers to report vulnerabilities in exchange for rewards, helping to identify and fix security issues proactively.
  - 10
    3d party hosted
  - 5
    Self-hosted
  - 0
    No
Penetration Test
- Pentest
  A simulated cyber attack against an exchange to check for exploitable vulnerabilities.
  - 10
    100%
  - 9
    90%
  - 8
    80%
  - 7
    70%
  - 6
    60%
  - 5
    50%
  - 4
    40%
  - 3
    30%
  - 2
    20%
  - 1
    10%
  - 0
    No
Incidents and response to them
- Insurance Fund
  A reserve fund used to cover financial losses due to hacks or other security breaches, providing a safety net for users' assets.
  - 10
    Yes
  - 0
    No

Step 2

Scoring weights

We multiply the received result with the scoring system

Server Security
12
User Security
15
Pentest
25
Bug Bounty
25
ISO 27001
10
CCSS
10
Insurance Fund
3

Step 3

Score calculation

We convert the sum of scored points to the rating

90-100
AAA
85-89
AA
80-84
A
70-79
BBB
65-69
BB
60-64
B
50-59
CCC
45-49
CC
40-44
C
30-39
DDD
25-29
DD
1-24
D
0
E

Certification

CER certification is given to crypto exchanges that have been assessed by our specialists according to 3 main criteria: penetration test, proof of funds, and bug bounty.

Penetration Test
A crypto exchange with 10/10 for penetration test gets a tick. The highest point is given for penetration test with 100% scope coverage. Penetration test is valid for 1 year.
Proof of Reserves Audit
A crypto exchange gets a tick if submits a third-party audited Proof of Reserves report with Proof of Liabilities at least once a year.
Bug Bounty
A crypto exchange with 10/10 for bug bounty gets a tick. The highest point is given to the programs launched on third-party platforms. Self-hosted bug bounty programs are evaluated twice less than third-party managed (5/10).

A self-hosted bug bounty program may be evaluated as third-party managed if the platform provides a review by a reputable third-party auditor.

Calculate a final rating

Uncertified
0 of 3 criterias (pentest, bug bounty, proof of reserves audit) meet requirements
1 of 3 criterias (pentest, bug bounty, proof of reserves audit) meet requirements
2 of 3 criterias (pentest, bug bounty, proof of reserves audit) meet requirements
3 of 3 criterias (pentest, bug bounty, proof of reserves audit) meet requirements