The Infisical Bug Bounty Program is our way of recognizing and rewarding the work of security researchers who help keep our platform secure. By reporting vulnerabilities or potential risks, you help us protect secrets, infrastructure, and the organizations who rely on us.

We value reports that help identify vulnerabilities that affect the integrity of secrets, prevent unauthorized access to environments, or expose flaws in our authentication or authorization flows.

How to Report

  • Send reports to [email protected] with clear steps to reproduce, impact, and (if possible) a proof-of-concept.
  • We will acknowledge receipt within 3 business days.
  • We’ll provide an initial assessment or next steps within 5 business days.

What’s in Scope?

  • Vulnerabilities in our cloud-hosted platform (e.g., app.infisical.com, eu.infisical.com)
  • Security issues in the open source Infisical codebase, as maintained in our official GitHub repository
  • Authentication bypass, privilege escalation, or access to secrets/data without authorization

Reward Guidelines

Bounties are based on severity, impact, and exploitability, as well as whether the report introduces a new vulnerability class or helps improve an existing fix.

SeverityExamplesTypical Reward (USD currency)
CriticalFull unauthorized access to secrets, authentication bypass, cross-tenant access, RCE, full compromise, etc2,0002,000 - 5,000
HighPrivilege escalation, project-level access without authorization, persistent DoS750750 - 2,000
MediumInfo disclosure, scoped DoS (e.g. ReDoS with auth), or minor access control issues250250 - 1,000
Low / InformationalMissing headers, CSP warnings, theoretical flaws, self-hosting misconfigurationsRecognition only

We may award lower amounts for:

  • Duplicate class vulnerabilities already under review
  • Patch bypasses of previously rewarded issues
  • Vulnerabilities requiring unrealistic attacker conditions

All final reward amounts are determined at Infisical’s discretion based on impact, report quality, and how actionable the issue is.

Out of Scope

  • Social engineering or phishing
  • Rate limiting issues on non-sensitive endpoints
  • Denial-of-service attacks that require authentication and don’t impact core service availability
  • Findings based on outdated or forked code not maintained by the Infisical team
  • Vulnerabilities in third-party dependencies unless they result in a direct risk to Infisical users

Responsible Disclosure

We ask that researchers:

  • Avoid accessing data that isn’t yours
  • Do not publicly disclose without coordination
  • Use testing accounts where possible
  • Give us a reasonable window to investigate and patch before going public

Researchers can also spin up our self-hosted version of Infisical to test for vulnerabilities locally.