Summary:
This proposal aims to engage Immunefi to provide an always-on, fully managed bounty program with 24/7 managed triage service and one mitigation review for Parallel, for a period of 12 months.
Rationale:
Web3 security is never guaranteed even after multiple thorough internal and external audits. Bug bounty programs have proven to be essential and effective last lines of defense across the industry.
A bug bounty program (BBP) is an open invitation to Immunefi’s community of more than 45,000 security researchers (SRs), including over 1,000 SRs who have averted material bugs — to analyse and report vulnerabilities in a project’s web2 and web3 assets in exchange for pre-defined rewards.
Take this example: nearly all of Immunefi’s clients have been audited before they launched a BBP, often multiple times. Yet, 80% of the time, Immunefi’s BBPs have surfaced critical bugs missed in audits in the first year after being launched. As of June 2025, Immunefi’s programs have paid over $119M USD in bounties to SRs, which is more than all other crypto crowdsourced security platforms combined. And, in 2024 alone, Immunefi’s programs have disclosed more than 400 critical bugs.
Immunefi is the largest onchain security platform, having prevented over $25B of funds from being lost to hacks and currently helps protect over $110B in user funds. It is specialized in surfacing the most mission-critical smart contract and blockchain vulnerabilities before they can be exploited, and its entire product is built around serving this need. Today, Immunefi works with leading projects including Sky (fka MakerDAO), Optimism, Polygon, GMX, Chainlink, TheGraph, Lido, LayerZero, Arbitrum, Starknet, EigenLayer, and many more, all publicly listed on its website.
- Program details:
Immunefi proposes a maximum reward of $250,000 USD for the most critical impacts of Parallel Protocol’s bug bounty program. Reward amounts will be adjusted depending on the impact and the volume of the funds at risk (e.g. the maximum reward would only be paid if it is proven that a vulnerability would allow exploitation of PAR’s current total value locked of +$2.5M).
A minimum reward of $50,000 USD should be paid for other critical bugs in order to incentivize SRs against withholding reports. Moreover, the validity of every single bug report will be determined not by Immunefi, but by Parallel’s bug bounty program administrators. However, the Immunefi mediation team will be available whenever there are any disputes in any of the bug report submissions. Cooper Labs, Mimo Labs, and the Immunefi teams determined these amounts according to industry best practices and by benchmarking the programs of similar projects on our platform.
The complete program rules can be analyzed here.
We propose to appoint Mimo Labs and Cooper Labs as administrators of the bug bounty program. They will be responsible for validating bug reports and will have the authority to transfer funds from the insurance fund without proposal, conditioned to a post detailing the bug found, the amount paid and its resolution. These teams can also update the program at any time.
The BBP service includes the hosting and design of the bounty program, a co-marketing plan, 24/7 coverage managed triage plan, one mitigation review, and free access to a Safe Harbor module. This means Immunefi’s internal triage team will filter all spam and low-quality reports, and will manage other initial engagements with the SR as per its Time Saver plan, helping to minimize the time triaging reports by Parallel’s administrators. Immunefi’s Safe Harbor is a legal framework developed by the Security Alliance (SEAL) for protocols to empower whitehat SRs to rescue funds during a blackhat attack and redirect those funds back to a protocol-controlled vault on Immunefi’s platform, in exchange for up to 60% of the max critical reward to deter against abuses.
- Requested budget:
The total cost for the first year for this service will be $38,530, payable in USDC. It is an all-inclusive price. So, no matter how many bugs are found, no additional fee will be payable to Immunefi.
This model allows Parallel to keep bounties high and attractive while having a fixed and dependable security investment, and allows Immunefi’s team to mediate cases in a completely unbiased manner leading to ideal outcomes for projects and security researchers alike, while avoiding the bias risked by a bounty performance-based commission fee.
This price includes a discount from our standard rate that requires Parallel to set up a vault on Immunefi’s platform and fund it with at least $5,000 at any time, to foster trust with the security community and save time when processing bug payments to SRs. Parallel’s BBP will be featured on Immunefi’s homepage leaderboard, which is ranked by the amount of funds held in a program’s vault.
We appreciate Parallel DAO’s members taking time to read through our proposal and remain available to answer any questions you may have.
Means:
-
Human Resources: Mimo Labs & Cooper Labs will be responsible for managing this program, albeit at a very reduced time requirement given the BBP includes a comprehensive managed triage plan.
-
Treasury Resources: $38,530 worth of PAR/paUSD/USDC on Ethereum for Immunefi bug bounty service. $5,000 worth of PAR/paUSD/USDC on Ethereum to be transferred to the Immunefi vault for bug bounty payments.
Technical implementation:
On Ethereum:
- The DAO Multisig signers will transfer $38,530 worth of PAR/paUSD/USDC from the Parallel Insurance Fund Multisig to 0x7119f398b6C06095c6E8964C1f58e7C1BAa79E18 (Immunefi)
- The DAO Multisig signers will transfer $5,000 worth of PAR/paUSD/USDC from the Parallel Insurance Fund Multisig to the ImmuneFi vault
Voting options:
- For the Bug Bounty Program
- Against / Rework the Proposal
- Abstain
Sentiment poll:
-
For the bug bounty program
-
Against / Rework the Proposal
-
Abstain
Author(s): Immunefi