PGP-28 l Immunefi Bug Bounty Program

Summary:

This proposal aims to engage Immunefi to provide an always-on, fully managed bounty program with 24/7 managed triage service and one mitigation review for Parallel, for a period of 12 months.

Rationale:

Web3 security is never guaranteed even after multiple thorough internal and external audits. Bug bounty programs have proven to be essential and effective last lines of defense across the industry.

A bug bounty program (BBP) is an open invitation to Immunefi’s community of more than 45,000 security researchers (SRs), including over 1,000 SRs who have averted material bugs — to analyse and report vulnerabilities in a project’s web2 and web3 assets in exchange for pre-defined rewards.

Take this example: nearly all of Immunefi’s clients have been audited before they launched a BBP, often multiple times. Yet, 80% of the time, Immunefi’s BBPs have surfaced critical bugs missed in audits in the first year after being launched. As of June 2025, Immunefi’s programs have paid over $119M USD in bounties to SRs, which is more than all other crypto crowdsourced security platforms combined. And, in 2024 alone, Immunefi’s programs have disclosed more than 400 critical bugs.

Immunefi is the largest onchain security platform, having prevented over $25B of funds from being lost to hacks and currently helps protect over $110B in user funds. It is specialized in surfacing the most mission-critical smart contract and blockchain vulnerabilities before they can be exploited, and its entire product is built around serving this need. Today, Immunefi works with leading projects including Sky (fka MakerDAO), Optimism, Polygon, GMX, Chainlink, TheGraph, Lido, LayerZero, Arbitrum, Starknet, EigenLayer, and many more, all publicly listed on its website.

  1. Program details:

Immunefi proposes a maximum reward of $250,000 USD for the most critical impacts of Parallel Protocol’s bug bounty program. Reward amounts will be adjusted depending on the impact and the volume of the funds at risk (e.g. the maximum reward would only be paid if it is proven that a vulnerability would allow exploitation of PAR’s current total value locked of +$2.5M).

A minimum reward of $50,000 USD should be paid for other critical bugs in order to incentivize SRs against withholding reports. Moreover, the validity of every single bug report will be determined not by Immunefi, but by Parallel’s bug bounty program administrators. However, the Immunefi mediation team will be available whenever there are any disputes in any of the bug report submissions. Cooper Labs, Mimo Labs, and the Immunefi teams determined these amounts according to industry best practices and by benchmarking the programs of similar projects on our platform.

The complete program rules can be analyzed here.

We propose to appoint Mimo Labs and Cooper Labs as administrators of the bug bounty program. They will be responsible for validating bug reports and will have the authority to transfer funds from the insurance fund without proposal, conditioned to a post detailing the bug found, the amount paid and its resolution. These teams can also update the program at any time.

The BBP service includes the hosting and design of the bounty program, a co-marketing plan, 24/7 coverage managed triage plan, one mitigation review, and free access to a Safe Harbor module. This means Immunefi’s internal triage team will filter all spam and low-quality reports, and will manage other initial engagements with the SR as per its Time Saver plan, helping to minimize the time triaging reports by Parallel’s administrators. Immunefi’s Safe Harbor is a legal framework developed by the Security Alliance (SEAL) for protocols to empower whitehat SRs to rescue funds during a blackhat attack and redirect those funds back to a protocol-controlled vault on Immunefi’s platform, in exchange for up to 60% of the max critical reward to deter against abuses.

  1. Requested budget:

The total cost for the first year for this service will be $38,530, payable in USDC. It is an all-inclusive price. So, no matter how many bugs are found, no additional fee will be payable to Immunefi.

This model allows Parallel to keep bounties high and attractive while having a fixed and dependable security investment, and allows Immunefi’s team to mediate cases in a completely unbiased manner leading to ideal outcomes for projects and security researchers alike, while avoiding the bias risked by a bounty performance-based commission fee.

This price includes a discount from our standard rate that requires Parallel to set up a vault on Immunefi’s platform and fund it with at least $5,000 at any time, to foster trust with the security community and save time when processing bug payments to SRs. Parallel’s BBP will be featured on Immunefi’s homepage leaderboard, which is ranked by the amount of funds held in a program’s vault.

We appreciate Parallel DAO’s members taking time to read through our proposal and remain available to answer any questions you may have.

Means:

  • Human Resources: Mimo Labs & Cooper Labs will be responsible for managing this program, albeit at a very reduced time requirement given the BBP includes a comprehensive managed triage plan.

  • Treasury Resources: $38,530 worth of PAR/paUSD/USDC on Ethereum for Immunefi bug bounty service. $5,000 worth of PAR/paUSD/USDC on Ethereum to be transferred to the Immunefi vault for bug bounty payments.

Technical implementation:

On Ethereum:

  • The DAO Multisig signers will transfer $38,530 worth of PAR/paUSD/USDC from the Parallel Insurance Fund Multisig to 0x7119f398b6C06095c6E8964C1f58e7C1BAa79E18 (Immunefi)
  • The DAO Multisig signers will transfer $5,000 worth of PAR/paUSD/USDC from the Parallel Insurance Fund Multisig to the ImmuneFi vault

Voting options:

  • For the Bug Bounty Program
  • Against / Rework the Proposal
  • Abstain

Sentiment poll:

  • For the bug bounty program

  • Against / Rework the Proposal

  • Abstain

0 voters

Author(s): Immunefi

2 Likes

Hey Parallel community, happy to answer any questions you may have about this proposal.

Looking forward to hearing from you.

2 Likes

MTTMCOM Question 4:

As for the Immunefi Bug Bounty Program, overall I am in support of any initiative that increases the protocol security. However , as I mentioned before in regards to my concerns over MIMO’s backing and support of Parallel, I would suggest for a scenario where MIMO Labs pays for the 38.53K first, and the DAO to reimburse MIMO Labs in full after 12 months at the end of the bounty program. Again, I would like to stress that as it currently stands, the DAO has only a little over 1 million in our treasury. Every single cent that we can save, every single payment that we can defer , should be done so that as a protocol, we have a higher chance of survival. Honestly, it is ridiculous that we would have to discuss over saving 38K but given how budget constrained we have been made to be, we have to be frugal and efficient with our precious capital.

There seems to be some confusion. We were not involved in writing this proposal, as mentioned by the proposal’s authors.
Furthermore, we are not interested in offering a under-collateralized 0-rate loan to the DAO.

However, we fully support this proposal, which we believe is essential to give both partners, integrators and protocol users greater confidence in the Parallel Protocol, while providing a clear framework for potential white-hats.

The amount of $38.5k for 1 year seems reasonable for what ImmuneFi is proposing. This would represent approximately 4.70% of the insurance fund holdings, which seems coherent to us.

2 Likes

The proposal is now live on Snapshot from June 17th at 2pm CET until June 24th at 2pm CET: https://snapshot.box/#/s:mimo.eth/proposal/0x3aaaa6e8521420387bd9cc2834d47e0c7a95b20bd93469582cf3b015c3469de4

1 Like