[whylo]

> employ a security policy of reporting any security concerns via email

You don't have a security.txt, https://infisical.com/docs/security/overview doesn't mention it and it's not on your FAQ, so I don't blame ianpurton for not finding it. You have a 'Report a vulnerability' issue template on GitHub (https://github.com/Infisical/infisical/security/advisories/n...) but then your readme points to a security policy which says to email: https://github.com/Infisical/infisical/security/policy

[dangtony98]

There are 3 different locations in the GitHub repo regarding the security policy: a SECURITY.md file containing instructions to report security vulnerabilities to team@infisical.com — this is employed in other open core repos like Strapi, PostHog, Chatwoot; a security policy on the sidebar that links to the SECURITY.md; and a security section in our README that also links to the SECURITY.md.

There's also an issue template for reporting vulnerabilities as well as you mentioned.

That said, we'll add info to the security page in our docs to contact us regarding vulnerabilities.

Thanks!