|Scope Type||Scope Name|
|undefined||Please submit any open source security issues directly to HackerOne, do not open security-related issues on public Github repositories.|
|undefined||Please send any questions about the eligibility of an open source repository to|
|web_application||Static Classic API|
|web_application||Map Matching API|
|web_application||Directions API (developer preview)|
|web_application||Datasets API (developer preview)|
Out of Scope
|Scope Type||Scope Name|
|android_application||Legacy Android SDK|
|ios_application||Legacy iOS SDK|
|other||StatusPage.io bug bounty program|
|other||Mapbox Studio Classic|
Mapbox appreciates the effort of software security researchers who work to make the Internet more secure. Our security vulnerability bounty system exists to reward the work of security researchers who find issues with our software and web services.
If you have questions about our bug bounty program or are unable to properly access/test an in-scope asset please email firstname.lastname@example.org.
Mapbox will make a best effort to meet the following SLAs for hackers participating in our program:
Type of Response | Business Days
Time to triage (from report submit) | 2 Days
Time to bounty (from triage) | 5 Days
Time to resolution (from triage) | 10 Days*
*Resolution SLA varies based on a vulnerability's severity and complexity.
To qualify for a bounty:
Public disclosure of the issue before its resolution will result in disqualification from the Mapbox HackerOne program. Evidence of abuse or accessing another user's data or account without their permission will also result in disqualification from the program.
All bug reports should include the following information to be considered for a bounty. Reports missing the information below will be marked as "Needs More Information," resulting in a minor loss of reputation points.
Screenshots or videos of the vulnerability are highly encouraged and will result in quicker triaging of the issue and possibly a higher bounty at Mapbox's discretion.
Here is an incomplete list of reports we are interested in:
sk.*) other than when they are immediately generated on mapbox.com. Note that reports about the disclosure of public access tokens (
pk.*) are ineligible.
The following reports are ineligible to receive bounties or reputation points. Any submitted reports related to them will be closed as N/A.
api.mapbox.comdomains. Mapbox customers often embed their maps on their pages using the iframe element.
mapboxin their name but are not owned Mapbox. For example, if an S3 bucket named
mapbox-testwas found and reported with a vulnerability, and we determine it is not owned by Mapbox, it would be considered ineligible.
The following reports are ineligible for a monetary bounty due to their low severity though they may be available for reputation points. If accompanied by a detailed proof of concept of an exploit leveraging their existence they may be eligible for a cash bounty at Mapbox's discretion.