How to Report Security Vulnerabilities

Prefect invites you to responsibly disclose security vulnerabilities for the following domains:

• cloud.prefect.io
• api.prefect.io
• app.prefect.cloud
• api.prefect.cloud

In addition to the service limitations set forth in the Prefect Cloud Software as a Service (SaaS) Agreement, Prefect prohibits the following types of research:

• accessing, or attempting to access, data that does not belong to you;
• executing, or attempting to execute, a denial of service attack this includes rate limiting;
• sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages;
• testing third party websites, applications or services that integrate with Prefect;
• knowingly posting, transmitting, uploading, linking to, sending or storing any malware, viruses or similar harmful software;
• exploitation of a vulnerability except for demonstration purposes to Prefect; and/or
• research conducted by minors, individuals on sanctions lists or individuals in countries on sanctions lists.

Submissions

Please do not publicly disclose details of any vulnerabilities without the prior express written consent of Prefect. Include the following details with your submission:

• exploit details with reproduction steps
• your email address; and
• if desired, proposed solutions on addressing the issue.

Prefect Commitment

If you follow our Responsible Disclosure Policy, Prefect will:

• acknowledge receipt of your report in a timely manner;
• provide an estimated time frame for addressing the vulnerability; and
• notify you when the vulnerability is fixed.

Compensation

Prefect may choose to reward the first reporter for a given issue. The compensation for discovered security vulnerabilities will be determined by Prefect in its sole and absolute discretion.