pump-fun

pump-fun

@pumpfun
Live

Maximum reward

$500,000

Severity

Max. Reward

Critical

$500,000

High

$100,000

Medium

$10,000

No deposit required

Findings submitted

102

Start date

29 Mar 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Web & Mobile ApplicationsSmart Contracts

Severity

Min and Max Reward

Critical

Up to $50,000

High

Up to $25,000

Medium

Up to $10,000

LowDiscretionary
InformationalDiscretionary

🎯 In-Scope Assets

Name
Description
Asset
pump.fun

Pump.fun Launchpad

pump.fun

*.pump.fun

Pump.fun Infrastructure

pump.fun

Pump.fun - iOS App

iOS App

https://apps.apple.com/fr/app/pump-fun/id6717572591

Pump.fun - Android App

Android App

https://play.google.com/store/apps/details?…

Out of scope

🚫 Not In-Scope

The following are generally not eligible, but may be reviewed if risk is demonstrated:

  • Attacks needing MITM, physical access, or a compromised device
  • Low-severity UI issues (e.g. clickjacking without sensitive action)
  • Known libraries without PoC or not patched upstream
  • SSL/TLS misconfigurations
  • Email best practices (e.g., missing SPF/DKIM/DMARC)
  • Content spoofing without vector
  • DDoS, social engineering, or brute-force on non-auth endpoints
  • Tabnabbing, third-party integrations (case-by-case)
  • Exfiltrating data after RCE