Our security bug bounty program is now open to the public. On March 1, we joined 100+ other companies including Twitter and Airbnb, who also host their security vulnerability coordination programs on HackerOne.

HackerOne connects security researchers with security-minded companies and organizations. Our program allows researchers to privately submit security issues to us. Our team then triages and fixes the security issues as quickly as possible before coordinating public disclosure with the researcher.

Our HackerOne program not only protects our users from security threats, but also allows us to reward security researchers with monetary bounties and public recognition.

We launched privately on HackerOne in March 2015 and had an incredible year:

  • 46 validated and resolved security issues
  • 408 total reports
  • $22,091 in total bug bounty payments
  • $458 average payout per bounty
  • $2,000 was the largest payout for a single bounty
  • 5 day average response time
  • 16 days average resolution time
  • 2 cross-site scripting (XSS) patches to Mapbox.js, our most popular open source library

Since going public on March 1, we’ve already received a staggering 93 bug reports, but we want even more! We offer a minimum $200 bounty for validated and resolved security issues.

Sign up on HackerOne today and start hacking our 500+ open source Github repositories, 11 APIs, 4 SDKs, our public website, and Mapbox Studio.

Still have questions? Read more about security at Mapbox and our security vulnerability disclosure process.