Bug Bounty

Submit Bug Report (required):

Coming Soon

Reward tiers

Critical - Up to $3,000

High - Up to $2,000

Medium - Up to $750

Low - Up to $350

Program Overview

Coming Soon

Substrate: Only the following impacts are accepted within this bug bounty program after getting reviewed by our team.

All other impacts are not considered as in-scope.

The Bug Bounty program is focused on preventing the following attack vectors:

Transaction/consensus manipulation

Double-spending
Unauthorized token minting
Governance compromise
Getting access to an identity that can lead to unauthorized access to system’s or user’s assets.
Blocking/modifying processes for Governance or users from performing their tasks, generating unhandled on-chain errors.
Putting on-chain data into an unexpected state without interrupting the system or users from performing their tasks e.g. generating redundant events, logs, etc.

2. Network not being able to confirm new transactions - total network shutdown

Direct loss or permanent freezing of funds

Below vulnerabilities are out of scope for a reward in this program - include but are not limited to:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)
DDOS attack
Spamming
Any physical attacks against Parallel property or employees
Phishing or other social engineering attacks against our team
Denial of Service attacks

Websites and Apps

Theoretical vulnerabilities without any proof or demonstration
Attacks requiring physical access to the victim device
Attacks requiring access to the local network of the victim
Reflected plain text injection ex: URL parameters, path, etc. This does not exclude reflected HTML injection with or without javascript. This does not exclude persistent plain text injection
Self-XSS
Captcha bypass using OCR without impact demonstration
CSRF with no state modifying security impact (ex: logout CSRF)
Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
Server-side non-confidential information disclosure such as IPs, server names, and most stack traces
Vulnerabilities used only to enumerate or confirm the existence of users or tenants
Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
Lack of SSL/TLS best practices
DDoS vulnerabilities
Feature requests
Issues related to the frontend without concrete impact and PoC
Best-practices issues without concrete impact and PoC
Vulnerabilities primarily caused by browser/plugin defects
Leakage of non sensitive API keys e.g. Etherscan, Infura, Alchemy, etc.
Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass

The following activities are prohibited by this bug bounty program:

Any testing with the Mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third-party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any Denial of Service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty

Assets in Scope

Main network, open runtime modulehttps://github.com/parallel-finance/parallel

Disclaimer:

Masma team, at its discretion, reserves the ultimate right to decide and determine whether a vulnerability is eligible for a reward and its amount depending on the severity.

Terms and program durations are subject to change at any time without any prior notice.

By submitting a bug, you agree to be bound by the program rules.

A reward can only be provided if:

The bug wasn't reported before.
The Bounty Hunter does not disclose the Bug to other parties or publicity until it's fixed by the Parallel Team.
The Hunter didn't exploit the vulnerability or allow anyone else to profit from it.
The Hunter reports a bug without any additional conditions or threats.
The investigation was NOT conducted with Ineligible methods or Prohibited Activities.
The Hunter should reply to our additional questions regarding the reproduction of the reported bug (if they follow) within a reasonable time.
When duplicate bug reports occur, we reward only the first one if it's provided with enough information for reproduction.
When multiple vulnerabilities are caused by one underlying issue, we will reward only the first reported.
The vulnerability is found in runtime pallets (no tests, or modules that aren’t in runtime, e.g. live, can be considered as vulnerability)

Severity Tiers

Rewards are distributed according to the potential impact of the vulnerability based on the following severity scale:

Critical:

transaction/consensus manipulation,
double-spending,
unauthorized token minting,
governance compromise,
getting access to an identity that can lead to unauthorized access to system’s or user’s assets.

High:

blocking or modifying processes for governance or users from performing their tasks,
generating unhandled on-chain errors.

These actions can lead to blocking users or governance from accessing their assets or performing system functions.

Medium:

putting on-chain data into an unexpected state without interrupting the system or users from performing their tasks, e.g. generating redundant events, logs, etc.

The addition of a PoC and a suggestion for a fix is not required but its addition may be a ground for a bonus provided by the team at its discretion.

PreviousSecurity NextProducts

Last updated 1 year ago

Was this helpful?

Bug Bounty

Submit Bug Report (required):

Coming Soon

Reward tiers

Critical - Up to $3,000

High - Up to $2,000

Medium - Up to $750

Low - Up to $350

Program Overview

Coming Soon

Substrate: Only the following impacts are accepted within this bug bounty program after getting reviewed by our team.

All other impacts are not considered as in-scope.

The Bug Bounty program is focused on preventing the following attack vectors:

Transaction/consensus manipulation

Double-spending
Unauthorized token minting
Governance compromise
Getting access to an identity that can lead to unauthorized access to system’s or user’s assets.
Blocking/modifying processes for Governance or users from performing their tasks, generating unhandled on-chain errors.
Putting on-chain data into an unexpected state without interrupting the system or users from performing their tasks e.g. generating redundant events, logs, etc.

2. Network not being able to confirm new transactions - total network shutdown

Direct loss or permanent freezing of funds

Below vulnerabilities are out of scope for a reward in this program - include but are not limited to:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)
DDOS attack
Spamming
Any physical attacks against Parallel property or employees
Phishing or other social engineering attacks against our team
Denial of Service attacks

Websites and Apps

Theoretical vulnerabilities without any proof or demonstration
Attacks requiring physical access to the victim device
Attacks requiring access to the local network of the victim
Reflected plain text injection ex: URL parameters, path, etc. This does not exclude reflected HTML injection with or without javascript. This does not exclude persistent plain text injection
Self-XSS
Captcha bypass using OCR without impact demonstration
CSRF with no state modifying security impact (ex: logout CSRF)
Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
Server-side non-confidential information disclosure such as IPs, server names, and most stack traces
Vulnerabilities used only to enumerate or confirm the existence of users or tenants
Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
Lack of SSL/TLS best practices
DDoS vulnerabilities
Feature requests
Issues related to the frontend without concrete impact and PoC
Best-practices issues without concrete impact and PoC
Vulnerabilities primarily caused by browser/plugin defects
Leakage of non sensitive API keys e.g. Etherscan, Infura, Alchemy, etc.
Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass

The following activities are prohibited by this bug bounty program:

Any testing with the Mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third-party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any Denial of Service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty

Assets in Scope

Main network, open runtime modulehttps://github.com/parallel-finance/parallel

Disclaimer:

Masma team, at its discretion, reserves the ultimate right to decide and determine whether a vulnerability is eligible for a reward and its amount depending on the severity.

Terms and program durations are subject to change at any time without any prior notice.

By submitting a bug, you agree to be bound by the program rules.

A reward can only be provided if:

The bug wasn't reported before.
The Bounty Hunter does not disclose the Bug to other parties or publicity until it's fixed by the Parallel Team.
The Hunter didn't exploit the vulnerability or allow anyone else to profit from it.
The Hunter reports a bug without any additional conditions or threats.
The investigation was NOT conducted with Ineligible methods or Prohibited Activities.
The Hunter should reply to our additional questions regarding the reproduction of the reported bug (if they follow) within a reasonable time.
When duplicate bug reports occur, we reward only the first one if it's provided with enough information for reproduction.
When multiple vulnerabilities are caused by one underlying issue, we will reward only the first reported.
The vulnerability is found in runtime pallets (no tests, or modules that aren’t in runtime, e.g. live, can be considered as vulnerability)

Severity Tiers

Rewards are distributed according to the potential impact of the vulnerability based on the following severity scale:

Critical:

transaction/consensus manipulation,
double-spending,
unauthorized token minting,
governance compromise,
getting access to an identity that can lead to unauthorized access to system’s or user’s assets.

High:

blocking or modifying processes for governance or users from performing their tasks,
generating unhandled on-chain errors.

These actions can lead to blocking users or governance from accessing their assets or performing system functions.

Medium:

putting on-chain data into an unexpected state without interrupting the system or users from performing their tasks, e.g. generating redundant events, logs, etc.

The addition of a PoC and a suggestion for a fix is not required but its addition may be a ground for a bonus provided by the team at its discretion.

PreviousSecurity NextProducts

Last updated 1 year ago

Was this helpful?