Skip to content

Security: CryptoMehis/Firstance-Program

Security

SECURITY.md

Security Policy

Firstance — pump.fun Automated Vault + Rule Engine (Solana / Anchor program).

  • Program ID (mainnet): FirstJpXgzGf2oBDsEa2eAqez2fKJdAUJi6R7gP7PXbj
  • The deployed binary carries an on-chain security.txt (neodyme standard) that mirrors this policy. It is visible in the Solana Explorer Security tab.

Reporting a vulnerability

Please report suspected vulnerabilities privately — do not open a public issue, disclose publicly, or exploit the finding on mainnet before we respond.

Include, where possible:

  • affected instruction / account / code path,
  • a description of the impact (fund loss, freeze, authority bypass, etc.),
  • reproduction steps or a proof-of-concept (devnet preferred),
  • your assessment of severity.

Our commitment

  • We aim to acknowledge your report within 72 hours.
  • We will keep you updated on remediation progress.
  • We request a 90-day coordinated-disclosure window (or until a fix ships, whichever comes first) before any public write-up.
  • With your consent, we will credit you in the release notes / acknowledgements.

Scope

In scope

  • The pumpfun-vault Anchor program (programs/pumpfun-vault/): vault logic, rule engine, oracle parsing, sell/withdraw/sweep/finalize instructions.
  • The off-chain keeper (keeper/) where a bug leads to loss or misdirection of on-chain funds.

Out of scope

  • Findings that require a compromised upgrade authority or keeper private key.
  • Third-party programs (pump.fun / PumpSwap, Pyth, SPL) — report those upstream.
  • Market/price movement, MEV, and generic RPC-availability issues.

Status

⚠️ This program is unaudited — a third-party audit is recommended before relying on it with significant value.

There aren't any published security advisories