Mapbox appreciates the effort of software security researchers who work to make the Internet more secure. Our security vulnerability bounty system exists to reward the work of security researchers who find issues with our software and web services.

If you have questions about our bug bounty program or are unable to properly access/test an in-scope asset please email security@mapbox.com.

SLAs

Mapbox attempts to meet the following SLAs for hackers participating in our program:

Response Target | Time (in business days)

-- | --

Time to first response (from report submit) | 2 days

Time to triage (from report submit) | 2 days

Time to bounty (from triage) | 10 days

Time to resolution | Depends on severity and complexity

Rules

• Do not publicly disclose the bug until Mapbox has confirmed the bug is fixed.

• Do not subject our website or web services to DoS, DDoS, scraping, brute force, or other type of automated attack.

• Do not spam our contact form or support inboxes.

• Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior against our web services or website.

• Do not try to gain access to another user's account or data - please use test accounts.

Eligibility for a bounty

To qualify for a bounty:

• You must be the first reporter of the vulnerability and it must not be a duplicate or known issue

• Your report must be within scope and not on our list of ineligible reports and known issues

• You must not be a minor

• You must not be a resident of or be located in a country on any U.S. sanctions lists

Public disclosure of the issue before its resolution will result in disqualification from the Mapbox HackerOne program. Evidence of abuse or accessing another user's data or account without their permission will also result in disqualification from the program.

Reporting

All bug reports should include the following information to be considered for a bounty. Reports missing the information below will be marked as "Needs More Information," resulting in a minor loss of reputation points.

• Vulnerable URL(s) and any affected parameters

• Your browser and operating system

• Detailed, step-by-step explanation of how to replicate the issue

Screenshots or videos of the vulnerability are highly encouraged and will result in quicker triage of the issue and possibly a higher bounty at Mapbox's discretion.

Eligible reports

Here is an incomplete list of reports we are interested in:

• Cross-site scripting (XSS)

• Directory traversal

• Privilege escalation

• Server-side remote code execution or command injection

• SQL or NoSQL injection

• Access control bypass

• Disclosure of secret access tokens (sk.*) by Mapbox systems other than when they are instantly generated on mapbox.com. Note that reports about the disclosure of public access tokens (pk.*) are ineligible.

• Presence of Mapbox staff secret tokens (sk.*) on the public internet, as determined by Mapbox. Presence of Mapbox customer secret tokens on the public internet are ineligible.

Ineligible reports or known issues

The following reports are ineligible to receive bounties or reputation points. Any submitted reports related to them will be closed as N/A.

• Social engineering of Mapbox staff, contractors, or customers

• Session management issues

• Reports from automated tools or scans

• Issues related to software or protocols not under Mapbox's control

• Denial of Service attacks, including mass requests against password reset, login, account creation, or other endpoints. We have monitoring and mitigation against brute force attacks which we believe are adequate. Please do not conduct brute force attacks.

• HTML or CSS injection in map markers or map features - this is by design so that our users can have rich, styled maps. We sanitize JavaScript and arbitrary code using sanitize-caja. We are interested in reports about the execution of JavaScript though!

• Presence of autocomplete on form fields, including username and password fields

• SPF, DKIM, or DMARC settings

• Password and account recovery policies, including password reset emails and password reset links

• Reports noting the lack of or suggesting the institution of a password policy, including account lockout settings

• email spoofing

• DNSSEC settings

• Presence of public (pk.*) access tokens in web pages or URLs - due to their use in client-side JavaScript these are public by design.

• Presence of sk.* access tokens with non-staff and non-admin privileges in web pages or URLs or in deleted or archived GitHub repo's.

• Username enumeration, including an oracle that discloses whether a given username or email address is associated an account

• Reports of CSRF or reports of a lack of CSRF tokens on wwww.mapbox.com, unless accompanied by a detailed proof of concept exploit. We have alternative CSRF mitigation in place.

• Missing HTTP security headers, unless accompanied by a detailed proof of concept exploit that leverages their absence

• Existence of access-controlled administrative pages

• Reports related to the SSL/TLS certificate for www.mapbox.com. Please report instead to the Fastly security team.

• Open redirects

• Use of a library with known vulnerabilities (without evidence of further exploitation)

• Vulnerabilities only affecting older browsers. Please see our documentation on browser support. Any reports related to Internet Explorer 7 will be marked as ineligible.

• HSTS or CSP headers

• Clickjacking or UI redressing on maps or features intended to be embedded in other pages such as those from the api.tiles.mapbox.com or api.mapbox.com domains. Mapbox customers often embed their maps on their pages using the iframe element.

• Content spoofing or HTML injection, unless accompanied by a proof of concept that demonstrates a security risk beyond injecting plain text

• Reports of insecure SSL/TLS ciphers or weak signature algorithms, unless accompanied by a working proof of concept of an exploit

• Any resources which happen to contain mapbox in their name but are not owned Mapbox. For example, if an S3 bucket named mapbox-test was discovered and reported with a vulnerability, and we determine it is not owned by Mapbox, it would be considered ineligible.

Ineligible for monetary bounty, but appreciated

The following reports are ineligible for a monetary bounty due to their low severity though they may be available for reputation points. If accompanied by a detailed proof of concept of an exploit leveraging their existence they may be eligible for a cash bounty at Mapbox's discretion.

• Mixed content

• Self-XSS