🕷️Bug Bounty

Submit Bug Report (required):

Coming Soon​

Reward tiers

Critical - Up to $3,000

High - Up to $2,000

Medium - Up to $750

Low - Up to $350

Program Overview

Coming Soon

Substrate: Only the following impacts are accepted within this bug bounty program after getting reviewed by our team.

All other impacts are not considered as in-scope.

The Bug Bounty program is focused on preventing the following attack vectors:

1. Transaction/consensus manipulation

• Double-spending

• Unauthorized token minting

• Governance compromise

• Getting access to an identity that can lead to unauthorized access to system’s or user’s assets.

• Blocking/modifying processes for Governance or users from performing their tasks, generating unhandled on-chain errors.

• Putting on-chain data into an unexpected state without interrupting the system or users from performing their tasks e.g. generating redundant events, logs, etc.

​ 2. Network not being able to confirm new transactions - total network shutdown

3. Direct loss or permanent freezing of funds

Below vulnerabilities are out of scope for a reward in this program - include but are not limited to:

• Attacks that the reporter has already exploited themselves, leading to damage

• Attacks requiring access to leaked keys/credentials

• Attacks requiring access to privileged addresses (governance, strategist)

• DDOS attack

• Spamming

• Any physical attacks against Parallel property or employees

• Phishing or other social engineering attacks against our team

• Denial of Service attacks

Websites and Apps

• Theoretical vulnerabilities without any proof or demonstration

• Attacks requiring physical access to the victim device

• Attacks requiring access to the local network of the victim

• Reflected plain text injection ex: URL parameters, path, etc. This does not exclude reflected HTML injection with or without javascript. This does not exclude persistent plain text injection

• Self-XSS

• Captcha bypass using OCR without impact demonstration

• CSRF with no state modifying security impact (ex: logout CSRF)

• Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact

• Server-side non-confidential information disclosure such as IPs, server names, and most stack traces

• Vulnerabilities used only to enumerate or confirm the existence of users or tenants

• Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows

• Lack of SSL/TLS best practices

• DDoS vulnerabilities

• Feature requests

• Issues related to the frontend without concrete impact and PoC

• Best-practices issues without concrete impact and PoC

• Vulnerabilities primarily caused by browser/plugin defects

• Leakage of non sensitive API keys e.g. Etherscan, Infura, Alchemy, etc.

• Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass

The following activities are prohibited by this bug bounty program:

• Any testing with the Mainnet or public testnet contracts; all testing should be done on private testnets

• Any testing with pricing oracles or third-party smart contracts

• Attempting phishing or other social engineering attacks against our employees and/or customers

• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)

• Any Denial of Service attacks

• Automated testing of services that generates significant amounts of traffic

• Public disclosure of an unpatched vulnerability in an embargoed bounty

Assets in Scope

Main network, open runtime modulehttps://github.com/parallel-finance/parallel

Disclaimer:

Masma team, at its discretion, reserves the ultimate right to decide and determine whether a vulnerability is eligible for a reward and its amount depending on the severity.

Terms and program durations are subject to change at any time without any prior notice.

By submitting a bug, you agree to be bound by the program rules.

A reward can only be provided if:

• The bug wasn't reported before.

• The Bounty Hunter does not disclose the Bug to other parties or publicity until it's fixed by the Parallel Team.

• The Hunter didn't exploit the vulnerability or allow anyone else to profit from it.

• The Hunter reports a bug without any additional conditions or threats.

• The investigation was NOT conducted with Ineligible methods or Prohibited Activities.

• The Hunter should reply to our additional questions regarding the reproduction of the reported bug (if they follow) within a reasonable time.

• When duplicate bug reports occur, we reward only the first one if it's provided with enough information for reproduction.

• When multiple vulnerabilities are caused by one underlying issue, we will reward only the first reported.

• The vulnerability is found in runtime pallets (no tests, or modules that aren’t in runtime, e.g. live, can be considered as vulnerability)

Severity Tiers

Rewards are distributed according to the potential impact of the vulnerability based on the following severity scale:

1. Critical:

• transaction/consensus manipulation,

• double-spending,

• unauthorized token minting,

• governance compromise,

• getting access to an identity that can lead to unauthorized access to system’s or user’s assets.

2. High:

• blocking or modifying processes for governance or users from performing their tasks,

• generating unhandled on-chain errors.

These actions can lead to blocking users or governance from accessing their assets or performing system functions.

3. Medium:

• putting on-chain data into an unexpected state without interrupting the system or users from performing their tasks, e.g. generating redundant events, logs, etc.

The addition of a PoC and a suggestion for a fix is not required but its addition may be a ground for a bonus provided by the team at its discretion.