> For the complete documentation index, see [llms.txt](https://docs.bextree.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bextree.com/security/future-audits.md).

# Future Audits

**Current status:** an **internal security review** of the three programs is complete. An **independent third-party audit has not yet been performed.**

## Where things stand

1. ✅ **Mainnet deployment** — all three programs are live with rotated keys, a Squads multisig upgrade authority, and [published program IDs](/security/program-ids.md).
2. ✅ **Internal security review** — completed against the deployed program code.
3. ⏳ **Verified builds** — reproducible-build verification linking deployed bytecode to public source is in progress; see [Program Registry](/developers/program-registry.md).
4. ⏳ **Independent external audit** — the programs were deliberately kept small and marketplace-agnostic to keep this scope tight. The full report — findings, severities, and remediations — will be published on this page, unedited.
5. ⏳ **Bug bounty** — planned to stand alongside the audit, so review doesn't end when the audit does.

## In the meantime

An internal review is not a substitute for independent eyes, and we won't present it as one. The interim posture is architectural: total escrow exit paths, on-chain verification, pre-custody where possible, bonds where not, and no single-key control over program upgrades or treasury. See [Security Principles](/security/security-principles.md).
