Cryptoexchanges Rating Methodology

SSL/TLS Certificate

A robust SSL/TLS certificate with strong encryption and proper server configuration ensures secure communications between servers and clients.

For detailed best practices, please review the SSL/TLS Deployment Best Practices document.

Example tool for checking SSL/TLS score: SSL Labs SSL Test.

WAF and CDN presence

Web Application Firewall (WAF) combined with Content Delivery Network (CDN) services provides protection against web-based threats while optimizing global traffic distribution and website availability.

Providers like Cloudflare and AWS offer integrated WAF solutions.

Example tool for evaluation: Wappalyzer extension.

SPF and DNSSEC Presence

These protocols protect email integrity and secure DNS lookups. SPF validates email sources to prevent spoofing, while DNSSEC secures DNS queries against tampering. Both implementations are scored independently.

Example tool for checking SPF & DNSSEC: MXToolbox SuperTool.

HTTP Headers

HTTP response headers must be configured to enforce modern security policies that reduce exposure to web vulnerabilities.

For guidance on proper header configuration, please refer to the Security Headers documentation.

Example Tool for checking HTTP headers: Security Headers.

Spam DB Presence

Helps in identifying and filtering out potentially malicious sources by referencing databases of known spam sources.

Cookie Flags

Cookie security is enhanced through three key flags: HTTP Only, Secure, and SameSite. These flags protect against cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

2-factor Authentication

Two-factor authentication adds an essential second layer of verification beyond passwords.

Password Requirements

A strict password policy enforces complexity standards including minimum length, digits, uppercase letters, and special characters.

Device Management

Device management allows users to review and manage all devices connected to their accounts, including the option to terminate any unfamiliar and unwanted sessions.

Anti-phishing Code

A customizable anti-phishing identifier that helps users to verify the authenticity of communications during login, transactions, and in received emails.

Withdrawal Whitelist

Withdrawal whitelisting restricts transfers to pre-approved addresses, thereby limiting the risk of unauthorized transactions.

Captcha

CAPTCHA implementation on registration and other key forms prevents automated attacks and ensures only legitimate user interactions occur.

ISO 27001

ISO 27001 certification demonstrates compliance with international information security management standards.

The actual certification documentation is required for validation.

CCSS

Cryptocurrency Security Standard (CCSS) certification provides specific protection against cryptocurrency-related threats with the main focus on preventing Access Control attacks.

To validate the certificate, please provide the certification ID, which can be verified through the Crypto Consortium lookup tool.

Active Bug Bounty

A structured bug bounty initiative in collaboration with reputable third parties encourages independent white-hat hackers for vulnerability reporting.

Self-hosted bug bounty programs will receive half the score.

Pentest

Penetration testing evaluates system security through simulated cyber-attacks.

Conducting annual, comprehensive penetration tests across all application layers — including web, API, and mobile — is essential to identify and mitigate security weaknesses.

Please refer to our blogpost explaining the criteria we use to evaluate the penetration tests: Penetration Test Requirements.

Insurance Fund

A dedicated reserve or insurance fund provides protection against potential losses arising from security breaches or other unforeseen incidents.

For futures exchanges, an insurance fund feature is required; spot exchanges must maintain either a dedicated reserve or third-party insurance.