The Infisical Bug Bounty Program is our way of recognizing and rewarding the work of security researchers who help keep our platform secure. By reporting vulnerabilities or potential risks, you help us protect secrets, infrastructure, and the organizations who rely on us.

We value reports that help identify vulnerabilities that affect the integrity of secrets, prevent unauthorized access to environments, or expose flaws in our authentication or authorization flows.

How to Report

  • Send reports to [email protected] with clear steps to reproduce, impact, and (if possible) a proof-of-concept.
  • We will acknowledge receipt within 3 business days for reports that are clearly written, technically sound, and plausibly within scope.
  • We’ll provide an initial assessment or next steps within 5 business days.
  • Please note: We do not respond to spam, auto generated reports, inaccurate claims, or submissions that are clearly out of scope.

What’s in Scope?

  • Vulnerabilities in our cloud-hosted platform (e.g., app.infisical.com, eu.infisical.com)
  • Security issues in the open source Infisical codebase, as maintained in our official GitHub repository
  • Authentication bypass, privilege escalation, or access to secrets/data without authorization

Reward Guidelines

Bounties are based on severity, impact, and exploitability, as well as whether the report introduces a new vulnerability class or helps improve an existing fix.

SeverityExamplesTypical Reward (USD currency)
CriticalFull unauthorized access to secrets, authentication bypass, cross-tenant access, RCE, full compromise, etc2,0002,000 - 5,000
HighPrivilege escalation, project-level access without authorization, persistent DoS750750 - 2,000
MediumInfo disclosure, scoped DoS (e.g. ReDoS with auth), or minor access control issues250250 - 1,000
Low / InformationalMissing headers, CSP warnings, theoretical flaws, self-hosting misconfigurationsRecognition only

We may award lower amounts for:

  • Duplicate class vulnerabilities already under review
  • Patch bypasses of previously rewarded issues
  • Vulnerabilities requiring unrealistic attacker conditions

All final reward amounts are determined at Infisical’s discretion based on impact, report quality, and how actionable the issue is.

Out of Scope

  • Social engineering or phishing (including email hyperlink injection without code execution)
  • Rate limiting issues on non-sensitive endpoints
  • Denial-of-service attacks that require authentication and don’t impact core service availability
  • Findings based on outdated or forked code not maintained by the Infisical team
  • Vulnerabilities in third-party dependencies unless they result in a direct risk to Infisical users

Responsible Disclosure

We ask that researchers:

  • Avoid accessing data that isn’t yours
  • Do not publicly disclose without coordination
  • Use testing accounts where possible
  • Give us a reasonable window to investigate and patch before going public

Researchers can also spin up our self-hosted version of Infisical to test for vulnerabilities locally.

Program Conduct and Enforcement

We value professional and collaborative interaction with security researchers. To maintain the integrity of our bug bounty program, we expect all participants to adhere to the following guidelines:

  • Maintain professional communication in all interactions
  • Do not threaten public disclosure of vulnerabilities before we’ve had reasonable time to investigate and address the issue
  • Do not attempt to extort or coerce compensation through threats
  • Follow the responsible disclosure process outlined in this document
  • Do not use automated scanning tools without prior permission

Violations of these guidelines may result in:

  1. Warning: For minor violations, we may issue a warning explaining the violation and requesting compliance with program guidelines.
  2. Temporary Ban: Repeated minor violations or more serious violations may result in a temporary suspension from the program.
  3. Permanent Ban: Severe violations such as threats, extortion attempts, or unauthorized public disclosure will result in permanent removal from the Infisical Bug Bounty Program.

We reserve the right to reject reports, withhold bounties, and remove participants from the program at our discretion for conduct that undermines the collaborative spirit of security research.

Infisical is committed to working respectfully with security researchers who follow these guidelines, and we strive to recognize and reward valuable contributions that help protect our platform and users.