Bug bounty program
Learn about our bug bounty program and how to report vulnerabilities.
The Infisical Bug Bounty Program is our way of recognizing and rewarding the work of security researchers who help keep our platform secure. By reporting vulnerabilities or potential risks, you help us protect secrets, infrastructure, and the organizations who rely on us.
We value reports that help identify vulnerabilities that affect the integrity of secrets, prevent unauthorized access to environments, or expose flaws in our authentication or authorization flows.
How to Report
- Send reports to [email protected] with clear steps to reproduce, impact, and (if possible) a proof-of-concept.
- We will acknowledge receipt within 3 business days.
- We’ll provide an initial assessment or next steps within 5 business days.
What’s in Scope?
- Vulnerabilities in our cloud-hosted platform (e.g.,
app.infisical.com
,eu.infisical.com
) - Security issues in the open source Infisical codebase, as maintained in our official GitHub repository
- Authentication bypass, privilege escalation, or access to secrets/data without authorization
Reward Guidelines
Bounties are based on severity, impact, and exploitability, as well as whether the report introduces a new vulnerability class or helps improve an existing fix.
Severity | Examples | Typical Reward (USD currency) |
---|---|---|
Critical | Full unauthorized access to secrets, authentication bypass, cross-tenant access, RCE, full compromise, etc | 5,000 |
High | Privilege escalation, project-level access without authorization, persistent DoS | 2,000 |
Medium | Info disclosure, scoped DoS (e.g. ReDoS with auth), or minor access control issues | 1,000 |
Low / Informational | Missing headers, CSP warnings, theoretical flaws, self-hosting misconfigurations | Recognition only |
We may award lower amounts for:
- Duplicate class vulnerabilities already under review
- Patch bypasses of previously rewarded issues
- Vulnerabilities requiring unrealistic attacker conditions
All final reward amounts are determined at Infisical’s discretion based on impact, report quality, and how actionable the issue is.
Out of Scope
- Social engineering or phishing
- Rate limiting issues on non-sensitive endpoints
- Denial-of-service attacks that require authentication and don’t impact core service availability
- Findings based on outdated or forked code not maintained by the Infisical team
- Vulnerabilities in third-party dependencies unless they result in a direct risk to Infisical users
Responsible Disclosure
We ask that researchers:
- Avoid accessing data that isn’t yours
- Do not publicly disclose without coordination
- Use testing accounts where possible
- Give us a reasonable window to investigate and patch before going public
Researchers can also spin up our self-hosted version of Infisical to test for vulnerabilities locally.