Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
Mapbox logo
Hall of Fame


200 $ 

In Scope

Scope Type Scope Name
undefined Please submit any open source security issues directly to HackerOne, do not open security-related issues on public Github repositories.
undefined Please send any questions about the eligibility of an open source repository to
undefined .
web_application Maps API
web_application Styles API
web_application Geocoding API
web_application Uploads API
web_application Surface API
web_application Static API
web_application Static Classic API
web_application Map Matching API
web_application Directions API (developer preview)
web_application Datasets API (developer preview)

Out of Scope

Scope Type Scope Name
android_application Legacy Android SDK
ios_application Legacy iOS SDK
other bug bounty program
other Mapbox Studio Classic
other Tilemill
other osm-navigation-map
other (deprecated)


Mapbox appreciates the effort of software security researchers who work to make the Internet more secure. Our security vulnerability bounty system exists to reward the work of security researchers who find issues with our software and web services.

If you have questions about our bug bounty program or are unable to properly access/test an in-scope asset please email

Mapbox will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response | Business Days
Time to triage (from report submit) | 2 Days
Time to bounty (from triage) | 5 Days
Time to resolution (from triage) | 10 Days*

*Resolution SLA varies based on a vulnerability's severity and complexity.


  • Do not publicly disclose the bug until Mapbox has confirmed the bug is fixed.
  • Do not subject our website or web services to DoS, DDoS, scraping, brute force, or other type of automated attack.
  • Do not spam our contact form or support inboxes.
  • Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior against our web services or website.
  • Do not attempt to gain access to another user's account or data - please use test accounts.

Eligibility for a bounty

To qualify for a bounty:

  • You must be the first reporter of the vulnerability and it must not be a duplicate or known issue
  • Your report must be within scope and not on our list of ineligible reports and known issues
  • You must not be a minor
  • You must not be a resident of or be located in a country on any U.S. sanctions lists

Public disclosure of the issue before its resolution will result in disqualification from the Mapbox HackerOne program. Evidence of abuse or accessing another user's data or account without their permission will also result in disqualification from the program.


All bug reports should include the following information to be considered for a bounty. Reports missing the information below will be marked as "Needs More Information," resulting in a minor loss of reputation points.

  • Vulnerable URL(s) and any affected parameters
  • Your browser and operating system
  • Detailed, step-by-step explanation of how to replicate the issue

Screenshots or videos of the vulnerability are highly encouraged and will result in quicker triaging of the issue and possibly a higher bounty at Mapbox's discretion.

Eligible reports

Here is an incomplete list of reports we are interested in:

  • Cross-site scripting (XSS)
  • Directory traversal
  • Privilege escalation
  • Server-side remote code execution or command injection
  • SQL or NoSQL injection
  • Access control bypass
  • Presence or disclosure of secret access tokens (sk.*) other than when they are immediately generated on Note that reports about the disclosure of public access tokens (pk.*) are ineligible.

Ineligible reports or known issues

The following reports are ineligible to receive bounties or reputation points. Any submitted reports related to them will be closed as N/A.

  • Social engineering of Mapbox staff, contractors, or customers
  • Reports from automated tools or scans
  • Issues related to software or protocols not under Mapbox's control
  • Denial of Service attacks, including mass requests against password reset, login, account creation, or other endpoints. We have monitoring and mitigations against brute force attacks which we believe are adequate. Please do not conduct brute force attacks.
  • HTML or CSS injection in map markers or map features - this is by design so that our users can have rich, styled maps. We sanitize JavaScript and arbitrary code using sanitize-caja __. We are interested in reports about the execution of JavaScript though!
  • Presence of autocomplete on form fields, including username and password fields
  • SPF, DKIM, or DMARC settings
  • Password and account recovery policies, including password reset emails and password reset links
  • Reports noting the lack of or suggesting the institution of a password policy, including account lockout settings
  • Email spoofing
  • DNSSEC settings
  • Presence of public (pk.*) access tokens in web pages or URLs - due to their use in client-side JavaScript these are public by design.
  • Username enumeration, including an oracle that discloses whether a given username or email address is associated an account
  • Reports of CSRF or reports of a lack of CSRF tokens on, unless accompanied by a detailed proof of concept exploit. We have alternative CSRF mitigations in place.
  • Missing HTTP security headers, unless accompanied by a detailed proof of concept exploit that leverages their absence
  • Existence of access-controlled administrative pages
  • Reports related to the SSL/TLS certificate for __. Please report instead to the Fastly security team __.
  • Open redirects
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Vulnerabilities only affecting older browsers. Please see our documentation on browser support __. Any reports related to IE7 will be marked as ineligible.
  • HSTS or CSP headers
  • Clickjacking or UI redressing on maps or features intended to be embedded in other pages such as those from the or domains. Mapbox customers often embed their maps on their pages using the iframe element.
  • Content spoofing or HTML injection, unless accompanied by a proof of concept that demonstrates a security risk beyond injecting plain text
  • Reports of insecure SSL/TLS ciphers or weak signature algorithms, unless accompanied by a working proof of concept of an exploit
  • Any resources which happen to contain mapbox in their name but are not owned Mapbox. For example, if an S3 bucket named mapbox-test was found and reported with a vulnerability, and we determine it is not owned by Mapbox, it would be considered ineligible.

Ineligible for monetary bounty, but appreciated

The following reports are ineligible for a monetary bounty due to their low severity though they may be available for reputation points. If accompanied by a detailed proof of concept of an exploit leveraging their existence they may be eligible for a cash bounty at Mapbox's discretion.

  • Mixed content
  • Self-XSS

FireBounty © 2015-2019

Legal notices