Do NOT report security vulnerabilities through public GitHub issues.

Instead, please open a private security advisory on GitHub.

• Description of the vulnerability
• Steps to reproduce
• Affected package(s) and version(s)
• Potential impact assessment
• Suggested fix (if you have one)

We follow responsible disclosure and will credit reporters in the changelog unless you prefer anonymity.

• Vulnerabilities in any @pumpkit/* package code
• Solana RPC data handling (malicious RPC responses)
• Telegram bot token exposure risks
• Private key exposure in logs, messages, or storage
• SQL injection in SQLite queries (@pumpkit/tracker)
• Message formatting injection (HTML/Telegram)
• Dependency vulnerabilities in production packages
• Docker image security (exposed ports, secrets in layers)

• Pump.fun on-chain program vulnerabilities (report to Pump.fun directly)
• Telegram API vulnerabilities (report to Telegram)
• grammy framework vulnerabilities (report upstream)
• Social engineering attacks
• Denial of service against RPC endpoints

• Bot tokens are loaded from environment variables only — never hardcoded
• Tokens are never logged or included in error messages
• Each bot (monitor, tracker, channel, claim) uses a separate token

• No private keys are handled by PumpKit bots — they are read-only monitors
• RPC URLs support fallback rotation for reliability
• WebSocket URLs are derived from RPC URLs when not explicitly set

• SQLite with parameterized queries — no string concatenation for SQL
• Database file stored locally with restricted permissions
• No sensitive data (keys, tokens) stored in the database

• All Telegram messages use HTML parse mode with proper escaping
• User-provided input (wallet addresses, token names) is sanitized before display
• No arbitrary code execution from message content

• Multi-stage builds to minimize image size and attack surface
• Non-root user in production containers
• No secrets baked into Docker layers — use environment variables at runtime