Security Research

Bug bounty program

Prefect values the security research community. We treat security researchers as partners in keeping our platform secure.

Report a vulnerability

Found a security issue? Send details to our security team:

bugbounty@prefect.io

Program scope

Our bug bounty program covers the following Prefect-owned domains and services. Vulnerabilities in third-party integrations or services outside this scope are not eligible.

In scope

•Prefect Cloud (app.prefect.cloud, api.prefect.cloud)
•Prefect web properties (prefect.io)
•Prefect open source

Out of scope

•Third-party integrations with Prefect
•Social engineering attacks
•Physical security testing
•Rate limiting and plan overconsumption (evaluated case-by-case)

Research guidelines

To qualify for our bug bounty program, security research must follow these guidelines. We appreciate researchers who conduct testing responsibly and in good faith.

Responsible research

Report vulnerabilities to bugbounty@prefect.io
Provide detailed reproduction steps
Allow reasonable time before public disclosure
Access only your own test accounts and data
Demonstrate vulnerabilities without exploitation
Make good faith effort to avoid service disruption

Prohibited activities

Accessing data that doesn't belong to you
Denial of service attacks (including rate limiting)
Sending spam or unsolicited communications
Uploading malware, viruses, or harmful software
Public disclosure without our written consent
Testing by minors or sanctioned individuals

How to report a vulnerability

Quality reports help us respond faster and fix issues effectively. Include as much detail as possible to help us understand and reproduce the vulnerability.

Include in your report

Vulnerability type

Classification and severity assessment

Affected domains/endpoints

Specific URLs or API endpoints

Reproduction steps

Detailed steps to reproduce the issue

Proof of concept

Screenshots, videos, or code samples

Your contact email

For follow-up communication

Proposed solutions

Optional but appreciated

Send your report to:

bugbounty@prefect.io

Do not publicly disclose

Our commitment to security researchers

We treat security researchers as valued partners in securing our platform.

Prompt acknowledgment

We acknowledge all valid reports

Partnership approach

Work with you to validate and fix issues

No legal action

Safe harbor for good faith research

When you submit a report

Here's what you can expect from our team throughout the disclosure process.

Acknowledge receipt

We'll confirm we received your report and provide a tracking reference.

Validate and assess

Our security team will work to reproduce and validate the vulnerability, and assess its severity.

Provide timeline

We'll share an estimated remediation timeline and keep you updated on our progress.

Deploy fix and notify

Once the vulnerability is fixed, we'll notify you and discuss attribution if you'd like public recognition.

Rewards

We value the time and effort security researchers invest in making Prefect more secure.

Monetary rewards

Prefect rewards the first reporter for a given issue. Compensation for discovered security vulnerabilities will be determined by Prefect based on:

•Severity and impact of the vulnerability
•Quality and detail of the report
•Ease of exploitation
•Affected components and user impact

Note: Rewards are determined on a case-by-case basis. Only the first reporter of a unique vulnerability is eligible for compensation.

Security resources

Related security documentation and policies

Security Overview

Enterprise security features and compliance certifications

Shared Responsibility

Security responsibilities between Prefect and customers

GDPR Compliance

How Prefect supports GDPR compliance for workflows

Questions about our bug bounty program?

Our security team is here to help. Contact us about program scope, reporting process, or any other questions about responsible disclosure.

Report a Vulnerability View Security Overview

Program scope

Our bug bounty program covers the following Prefect-owned domains and services. Vulnerabilities in third-party integrations or services outside this scope are not eligible.

In scope

•Prefect Cloud (app.prefect.cloud, api.prefect.cloud)
•Prefect web properties (prefect.io)
•Prefect open source

Out of scope

•Third-party integrations with Prefect
•Social engineering attacks
•Physical security testing
•Rate limiting and plan overconsumption (evaluated case-by-case)

Research guidelines

To qualify for our bug bounty program, security research must follow these guidelines. We appreciate researchers who conduct testing responsibly and in good faith.

Responsible research

Report vulnerabilities to bugbounty@prefect.io
Provide detailed reproduction steps
Allow reasonable time before public disclosure
Access only your own test accounts and data
Demonstrate vulnerabilities without exploitation
Make good faith effort to avoid service disruption

Prohibited activities

Accessing data that doesn't belong to you
Denial of service attacks (including rate limiting)
Sending spam or unsolicited communications
Uploading malware, viruses, or harmful software
Public disclosure without our written consent
Testing by minors or sanctioned individuals

How to report a vulnerability

Quality reports help us respond faster and fix issues effectively. Include as much detail as possible to help us understand and reproduce the vulnerability.

Include in your report

Vulnerability type

Classification and severity assessment

Affected domains/endpoints

Specific URLs or API endpoints

Reproduction steps

Detailed steps to reproduce the issue

Proof of concept

Screenshots, videos, or code samples

Your contact email

For follow-up communication

Proposed solutions

Optional but appreciated

Send your report to:

bugbounty@prefect.io

Do not publicly disclose

When you submit a report

Here's what you can expect from our team throughout the disclosure process.

Acknowledge receipt

We'll confirm we received your report and provide a tracking reference.

Validate and assess

Our security team will work to reproduce and validate the vulnerability, and assess its severity.

Provide timeline

We'll share an estimated remediation timeline and keep you updated on our progress.

Deploy fix and notify

Once the vulnerability is fixed, we'll notify you and discuss attribution if you'd like public recognition.

Rewards

We value the time and effort security researchers invest in making Prefect more secure.

Monetary rewards

Prefect rewards the first reporter for a given issue. Compensation for discovered security vulnerabilities will be determined by Prefect based on:

•Severity and impact of the vulnerability
•Quality and detail of the report
•Ease of exploitation
•Affected components and user impact

Note: Rewards are determined on a case-by-case basis. Only the first reporter of a unique vulnerability is eligible for compensation.