Rules you must follow
Report security issues on our public HackerOne program.
Do not open security-related issues or pull requests on Github.
Do not publicly disclose the bug until Mapbox has confirmed the bug is fixed.
Do not subject our web services or website to DoS, DDoS, scraping, or other type of attack.
Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior against our web services or website.
Don't attempt to gain access to another user's account or data, instead use test accounts.
Be sure the software or service you're testing or reporting for is included under our open bounties.
Every report is considered high priority. We will confirm that we've received your report and review the issue as quickly as possible.
We will address the issue and ask you to confirm that the problem has been resolved.
We will determine the amount of compensation and arrange for the reward.
Payment is made via Paypal. If payment via Paypal is not possible, Mapbox will make a best effort to use another payment system.
PGP public key
Copy our PGP public key below to send us secure mail.