Security Research
Bug bounty program
Prefect values the security research community. We treat security researchers as partners in keeping our platform secure.
Report a vulnerability
Found a security issue? Send details to our security team:
bugbounty@prefect.ioProgram scope
Our bug bounty program covers the following Prefect-owned domains and services. Vulnerabilities in third-party integrations or services outside this scope are not eligible.
In scope
- •Prefect Cloud (app.prefect.cloud, api.prefect.cloud)
- •Prefect web properties (prefect.io)
- •Prefect open source
- •Prefect Cloud v1 (cloud.prefect.io, api.prefect.io) (evaluated case-by-case)
Out of scope
- •Third-party integrations with Prefect
- •Social engineering attacks
- •Physical security testing
- •Rate limiting and plan overconsumption (evaluated case-by-case)
Research guidelines
To qualify for our bug bounty program, security research must follow these guidelines. We appreciate researchers who conduct testing responsibly and in good faith.
Responsible research
- Report vulnerabilities to bugbounty@prefect.io
- Provide detailed reproduction steps
- Allow reasonable time before public disclosure
- Access only your own test accounts and data
- Demonstrate vulnerabilities without exploitation
- Make good faith effort to avoid service disruption
Prohibited activities
- Accessing data that doesn't belong to you
- Denial of service attacks (including rate limiting)
- Sending spam or unsolicited communications
- Uploading malware, viruses, or harmful software
- Public disclosure without our written consent
- Testing by minors or sanctioned individuals
How to report a vulnerability
Quality reports help us respond faster and fix issues effectively. Include as much detail as possible to help us understand and reproduce the vulnerability.
Include in your report
Vulnerability type
Classification and severity assessment
Affected domains/endpoints
Specific URLs or API endpoints
Reproduction steps
Detailed steps to reproduce the issue
Proof of concept
Screenshots, videos, or code samples
Your contact email
For follow-up communication
Proposed solutions
Optional but appreciated
Send your report to:
bugbounty@prefect.ioOur commitment to security researchers
We treat security researchers as valued partners in securing our platform.
Prompt acknowledgment
We acknowledge all valid reports
Partnership approach
Work with you to validate and fix issues
No legal action
Safe harbor for good faith research
When you submit a report
Here's what you can expect from our team throughout the disclosure process.
Acknowledge receipt
We'll confirm we received your report and provide a tracking reference.
Validate and assess
Our security team will work to reproduce and validate the vulnerability, and assess its severity.
Provide timeline
We'll share an estimated remediation timeline and keep you updated on our progress.
Deploy fix and notify
Once the vulnerability is fixed, we'll notify you and discuss attribution if you'd like public recognition.
Rewards
We value the time and effort security researchers invest in making Prefect more secure.
Monetary rewards
Prefect rewards the first reporter for a given issue. Compensation for discovered security vulnerabilities will be determined by Prefect based on:
- •Severity and impact of the vulnerability
- •Quality and detail of the report
- •Ease of exploitation
- •Affected components and user impact
Note: Rewards are determined on a case-by-case basis. Only the first reporter of a unique vulnerability is eligible for compensation.
Security resources
Related security documentation and policies
Questions about our bug bounty program?
Our security team is here to help. Contact us about program scope, reporting process, or any other questions about responsible disclosure.