cer logo
  1. Home
  2. Cryptoexchanges Rating Methodology
circle
triangle

Cryptoexchanges Rating Methodology

How the score is calculated?

Step 1

Points system

We assess each aspect of the project’s security following a rating system

SSL/TLS certificate

10

A+

9

A

8

A-

6

B

5

C

3

D

2

E

1

F

0

T or M

Check WAF and CDN presence

10

Yes

0

No

SPF records published and secured

10

SPF Record found

5

CNAME, SPF expected

0

SPF Record not found

DNSSEC setup

10

Record found

0

Record not found

Open ports

10

80 & 443 ports open only

5

1-3 ports open

0

3+ ports open

HTTP Headers

10

A

8

B

6

C

4

D

2

E

0

F

Spam DB presence

10

0 blacklists

5

1-3 blacklists

0

3+ blacklists

Cookie flags

HTTP Only set

4

Yes

0

No

Secure set

4

Yes

0

No

SameSite set

2

Yes

0

No

2-factor authentication

10

Yes

0

No

Password Requirements

Minimum lenghts > 8

4

Yes

0

No

Requires digit

2

Yes

0

No

Requires uppercase symbol

1

Yes

0

No

Requires special character

2

Yes

0

No

32 symbols password long is ok

1

Yes

0

No

Device management

List of current sessions

5

Yes

0

No

Posibility to terminate other session

5

Yes

0

No

Anti-phishing code

10

Yes

0

No

Withdrowal whitelist / password

10

Yes

0

No

ISO 27001

10

Yes

0

No

Insurance fund

10

Yes

0

No

BugBounty

10

Yes, aggregator

5

Yes, self-hosted

0

No

Pentest

Depends on scope coverage

10

100%

9

90%

8

80%

7

70%

6

60%

5

50%

4

40%

3

30%

2

20%

1

10%

0

No

Data breaches

10

No or >2 years ago

5

Yes, > 1 year ago

0

Yes, < 1 year ago

Previous Incidents

10

No or >2 years ago

5

Yes, > 1 year ago

0

Yes, < 1 year ago

Step 2

Scoring weights

We multiply the received result with the scoring system

  • Server security
    1,75
  • User security
    1,75
  • Penetration test
    2,5
  • Bug Bounty
    2,5
  • ISO 27001
    1
  • Funds insurance
    0,5
Step 3

Score calculation

We convert the sum of scored points to the rating

<5 >5,5 >6 >6,5 >7 >7,5 >8 >8,5 >9 >9,5
D C CC CCC B BB BBB A AA AAA

Certification

CER certification is given to crypto exchanges that have been assessed by our specialists according to 3 main criteria: penetration test, proof of funds, and bug bounty.

Penetration test

Penetration Test

A crypto exchange with 10/10 for penetration test gets a tick. The highest point is given for penetration test with 100% scope coverage. Penetration test is valid for 1 year.

More about penetration test

Proof of funds

Proof of Funds

A crypto exchange gets a tick if the balance on hot and cold wallets is >$1M in ETH and BTC.

Bug bounty

Bug Bounty

A crypto exchange with 10/10 for bug bounty gets a tick. The highest point is given to the programs launched on third-party platforms. Self-hosted bug bounty programs are evaluated twice less than third-party managed (5/10).

A self-hosted bug bounty program may be evaluated as third-party managed if the platform provides a review by a reputable third-party auditor.

More about bug bounty

Calculate a final rating

Uncertified

starstarstar

0 of 3 critiries (pentest, bug bounty, proof of funds) meet requirements

certified
starstarstar

1 of 3 critiries (pentest, bug bounty, proof of funds) meet requirements

certified
starstarstar

2 of 3 critiries (pentest, bug bounty, proof of funds) meet requirements

certified
starstarstar

3 of 3 critiries (pentest, bug bounty, proof of funds) meet requirements

Go to the exchanges rating