Security Reward Program

Mapbox appreciates the effort of software security researchers who work to make the Internet more secure. Our security vulnerability coordination and bug bounty program exist to reward the work of security researchers who find issues with our software and web services.

Our vulnerability coordination program offers cash rewards for researchers who find security vulnerabilities that meet certain requirements. Be sure to follow our rules during the process.

Rules you must follow

Report security issues on our public HackerOne program.

If you are unable to sign up on HackerOne, email us at security@mapbox.com, though your report may not be eligible for a monetary bounty.

Do not open security-related issues or pull requests on Github.

Do not publicly disclose the bug until Mapbox has confirmed the bug is fixed.

Do not subject our web services or website to DoS, DDoS, scraping, or other type of attack.

Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior against our web services or website.

Don't attempt to gain access to another user's account or data, instead use test accounts.

Be sure the software or service you're testing or reporting for is included under our open bounties.

Mapbox procedure

  • Every report is considered high priority. We will confirm that we've received your report and review the issue as quickly as possible.

  • We will address the issue and ask you to confirm that the problem has been resolved.

  • We will determine the amount of compensation and arrange for the reward.

Amount

Cash rewards start at $200. The exact amount paid out for each vulnerability is determined on a case-by-case basis.

Payment method

Payment is made via Paypal. If payment via Paypal is not possible, Mapbox will make a best effort to use another payment system.

Open bounties

Mapbox web services

Our core services including maps, embeds, static, geocoding, directions, and uploads APIs.

Mapbox.com

Our website, client-side JavaScript applications, and authentication flows.

Open source SDKs

Mapbox.js, Mapbox GL JS, iOS SDK, and Android SDK.

Open source repositories

Over 500+ open source Mapbox repositories on Github.

Contact us

Have questions about security at Mapbox? Email us at security@mapbox.com.

Need to send us sensitive information? Use the PGP public key below.

PGP public key

Copy our PGP public key below to send us secure mail.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.4
Comment: Hostname: keyserver.ubuntu.com

mQINBFUG2AsBEADoWtBXe8HY7YXkXVgtcNrnWddskLR4vQt+ibVAOudDkzNsh7jvWWOWszF9+XoT2+mw7fLG0EtNtu93G18IVKHIEi+S/BAgKDxkBIMOohvHmYHcuCIky1OXwfibRVppyc0go9PTMz7W6r6oEEAvKJVvEDL/v+hj8IG2IgS85Pzo91MTBVyJ++fHliPkqoZ5yF1VHbs8dZAXNw1rkNvW7Yj7x9sbLNUwSOkEH5uJYr2QLhhySgPKfWH+3tiYT6dLDLD49P/yZC0zwOB1PSskDkK7iGYW7XQpGgEb1kn3Bn8oyULujZDRRAznL/ndTrAYr6aIEmdxsusxshVGlraqlnxznMnKld8vzV6cnaUZ4toGxSOSZZKs2Eo7FiHbzG1GMUYEWmv/QcbO9vqLUcOZrP0snRc7LYLBMNVkLksNFRwZgwW6fnkUMH/XOA8K4JrVBL6/R703aN3JWshNV274oU2mditaeVoYKBT8ZBaYel0K8XeiYCAhjdYw4R1QgtIc7P8W0psV7I9Iv9PfIltMiT2SyQzleL8PCMtqYgZGfZSxnQ160MDgxSrw8q6qQVGUYEGshZpchHvrJwhLA3O7y3JEPO4FqGDaeFjR9RebpSdMQIN997coVtYCb0RhpXJxpPcEQI90GHXRWSGmSyi6jRV6sY9vdKqm1xmDcrfpovTTrQARAQABtCVNYXBib3ggU2VjdXJpdHkgPHNlY3VyaXR5QG1hcGJveC5jb20+iEYEEBECAAYFAlUG6b0ACgkQ94d6K8nEDDHe4gCeNbxSpJHwV93ci+iQpDZro+Hgg6oAn3gvBgfL1+GpHxdVgZMvj95891Y9iQI4BBMBAgAiBQJVBtgLAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDGBzoj7zRzg/PkEADfMLYKjhmxFx5uGS6Zi1ZIG2tmDcVFWkh3dYJEXEqNuEYrs3KJvNfmjZMAqj/b51EKP5+JdPhsa9C1tjbpOlMnWu7bxwJgJ3dfzcquvsZtWOIzxf43lRd02UV09f6rtPiWgLYnI84GoWUSsCmoTP83+UHVJ4kwjc7sZSIfh/qEUxG5H24JeATH/f/5qLXBUsuj47nW/ZejtCIZ2NW62iSJViC5bFm/IJcgrPT7YWDJxpvnxyXlJ2kGoOHZmBaGf/s+URWqQxEovH35XaJwVdUNSSKhq/6HCHPFufbxtDtFmVH6rdNBHxiVwK1OaaYHZd9PN9C/OQMTY77vtWE6okzN1K7vJD5rbbgBI1vKnbFVIig94YlvuNy2I7vQjl9PS+YU53yhofRCDX4ZeYt0E8yb7ZSOwDsXXudvGUsifODG1JIEx47DY9+4e3I36F61B+YYAC0YHlZAk4EC2Xqj596pgwuWnmsa2rF0KBB3UdJXRyfo0lRzU8psw32HkxHhxJDFDeb5ywWkFSXB+4iqbjMCEVkHhAx83/D+OkQ3qskSq0Q3e2ZSt0aqCp0U+BACXkL6f9yPXURJx+ER1rEFNNSiJeGPVM91KaEP4mQwABhUCx33G2AxlvmakvUGHCQw7yxbuV+Lb6657HsxS+/rhwiHHmYLZhkeOyG29xKyHfHzurkCDQRVBtgLARAAwTgIe1DCSIOCEwaxLc5oReNU7/9yHkhmxMzadL/Q2icHnZzgCf1YCGySmRetOiUggBAbhwpL2AEh6q79ORY5tnz9qqI1xCCeEgVXQPd3uDVhUwjk8oG63J2jtXFFeyr/xVR8OiM5SeBtUI7aP8oPSCsXZj9LssL0D7ZBs3zEx9IKtTO3PxAa+4f6Lk33E22TgGoiR8LMCGbw139cyq9FCk7POi5FvOT4Ar2a7GRRzOZgdxAACRenKt0s7bjJg3ZBZo8dKluhpH8JdxK3E4StJhqIPOc9dHSFuotof9ZEi5UYhWNABfUKUjmDs5G6EA1LzngwsedQIYObqUihOVVCkhlkWGExWCC9HTMniEthuMBRdOBABwh0MsuNdTGd+Km8PCw1AjA/Ai1ExT+v7gDWGLgydkrTRH1fkS2FtVbVIRaMsdPQCe2WrYOilwpoQ2CqaY/1hnp3mrTUEHFzskKUTLKqCI1oWY8KOIv30N7N84cInED39vB5PDBh6LT1j2hxtfQS8J8NioRSiVz/5DZCKsateImnFFunhyYxxZmX1t6wymsVj6k/fb2waKRLedOihPA0qple1ddwjtaDarOq38ttWlBQciVtSrb8rQdunHK9+LRnPXybpX4PGfnNw6RsUHuDeVM3O0Ygb9yoskSujQI6FHLaIvA9zJV+SVa+P9EAEQEAAYkCHwQYAQIACQUCVQbYCwIbDAAKCRDGBzoj7zRzg/QjD/96E9T8/AJ61Izlgl0R4ZaaMuzulo4IUj27pW5P8spczQfEzzJyow1bFpQpHgTnYP2sKd7M187/ppoxw5XTGhONWCDxl6vbYFpjCzudalzAoseqleS/y9CEJCSyjK4OHHjf4IBNGjOmNAP+TF5QPczY46fVNAqhked/VBIHbwQ8ZKXb1GsVCbCePx2mO4ufVY7BX+NPRz5eMslqaHrk5gFN2K5JwPwykDksAppK3yUYCNj+nHtDC09wRPOlXucW92U0Riejmmma8b80V7HlhUiM2u2n7RzzxH1LgPhBN5aKl9M3BBqsQXpYRuXksYtb/C6MSZ71quNklPuJfqEir3QnO/LiYWZ1KWRwxBuOhdOsHpu5vjtPXxK+StqQqXeFalev+oNRvpMbRs5ZK1DRvPQ9PeQtJhs4qDM1bGOlYXmu5xTej2iTNQiSXE9E4ZlVX6aExRiJ2zW0XMQBp4uDJjtWuE2MGTtN/eeS3kmhqs9eQT2ULeO9w8bbBguzTrBeUjhJcNA5gbXVVvO3KUcToZw8BhXUFK1NVE9g+80q6FMleBl2VkBlH0ShpXozegmFuumGmrHM4/XlfPbxX1XzK6j+FMH1Rf9XC3nlQM4Y1/Zz0kU6Q2sxUusgwRTnxPqN+R0CdYe2/MkwAiDIkgoSxlikCgjo4AoLSut8Kk+GoNoNkg===crPD
-----END PGP PUBLIC KEY BLOCK-----