Mapbox

Mapbox appreciates the effort of software security researchers who work to make the Internet more secure. Our security vulnerability bounty system exists to reward the work of security researchers who find issues with our software and web services.

If you have questions about our bug bounty program or are unable to properly access/test an in-scope asset please email [email protected].

SLAs

Mapbox attempts to meet the following SLAs for hackers participating in our program:

Rules

• Do not publicly disclose the bug until Mapbox has confirmed the bug is fixed. For any public disclosure, Mapbox approval is required.
• Do not subject our website or web services to DoS, DDoS, scraping, brute force, or other type of automated attack.
• Do not spam our contact form or support inboxes.
• Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior against our web services or website.
• Do not try to gain access to another user's account or data - please use test accounts.

Test Account Registration

• Researchers can create test accounts to make api calls utilizing Mapbox's free tier. Refer to Mapbox pricing guide for more details.
• When registering for test accounts, it is recommended use your HackerOne email address in the following format: <your_h1_username>@wearehackerone.com>.

Eligibility for a bounty

To qualify for a bounty:

• You must be the first reporter of the vulnerability and it must not be a duplicate or known issue
• Your report must be within scope and not on our list of ineligible reports and known issues
• You must not be a minor
• You must not be a resident of or be located in a country on any U.S. sanctions lists

Public disclosure of the issue before its resolution will result in disqualification from the Mapbox HackerOne program. Evidence of abuse or accessing another user's data or account without their permission will also result in disqualification from the program.

Reporting

All bug reports should include the following information to be considered for a bounty. Reports missing the information below will be marked as "Needs More Information," resulting in a minor loss of reputation points.

• Vulnerable URL(s) and any affected parameters
• Your browser and operating system
• Detailed, step-by-step explanation of how to replicate the issue

Screenshots or videos of the vulnerability are highly encouraged and will result in quicker triage of the issue and possibly a higher bounty at Mapbox's discretion.

Eligible reports

Here is an incomplete list of reports we are interested in:

• Cross-site scripting (XSS)
• Directory traversal
• Privilege escalation
• Server-side remote code execution or command injection
• SQL or NoSQL injection
• Access control bypass
• Disclosure of Mapbox Staff tokens through any Mapbox-controlled resources, including but not limited to Mapbox APIs, services, documentation, code repositories, error messages and logs etc.
  • Secret tokens intentionally displayed during their initial generation on Mapbox | Maps, Navigation, Search, and Data are excluded from this policy.
  • Mapbox reserves the right to make the final determination on whether a token is to be considered a Mapbox staff token.
  • Disclosure of public access tokens (pk.) and Mapbox customer secret tokens (sk.) found on the public internet are currently out of scope.

Ineligible reports or known issues

The following reports are ineligible to receive bounties or reputation points. Any submitted reports related to them will be closed as N/A.

• Social engineering of Mapbox staff, contractors, or customers
• Session management issues
• Reports from automated tools or scans
• Issues related to software or protocols not under Mapbox's control
• Denial of Service attacks, including mass requests against password reset, login, account creation, or other endpoints. We have monitoring and mitigation against brute force attacks which we believe are adequate. Please do not conduct brute force attacks.
• HTML or CSS injection in map markers or map features - this is by design so that our users can have rich, styled maps. We sanitize JavaScript and arbitrary code using sanitize-caja. We are interested in reports about the execution of JavaScript though!
• Presence of autocomplete on form fields, including username and password fields
• SPF, DKIM, or DMARC settings
• Password and account recovery policies, including password reset emails and password reset links
• Reports noting the lack of or suggesting the institution of a password policy, including account lockout settings
• email spoofing
• DNSSEC settings
• Presence of public (pk.*) access tokens in web pages or URLs - due to their use in client-side JavaScript these are public by design.
• Presence of sk.* access tokens with non-staff and non-admin privileges in web pages or URLs or in deleted or archived GitHub repo's.
• Username enumeration, including an oracle that discloses whether a given username or email address is associated an account
• Reports of CSRF or reports of a lack of CSRF tokens on wwww.mapbox.com, unless accompanied by a detailed proof of concept exploit. We have alternative CSRF mitigation in place.
• Missing HTTP security headers, unless accompanied by a detailed proof of concept exploit that leverages their absence
• Existence of access-controlled administrative pages
• Reports related to the SSL/TLS certificate for www.mapbox.com. Please report instead to the Fastly security team.
• Open redirects
• Use of a library with known vulnerabilities (without evidence of further exploitation)
• Vulnerabilities only affecting older browsers. Please see our documentation on browser support. Any reports related to Internet Explorer 7 will be marked as ineligible.
• HSTS or CSP headers
• Clickjacking or UI redressing on maps or features intended to be embedded in other pages such as those from the api.tiles.mapbox.com or api.mapbox.com domains. Mapbox customers often embed their maps on their pages using the iframe element.
• Content spoofing or HTML injection, unless accompanied by a proof of concept that demonstrates a security risk beyond injecting plain text
• Reports of insecure SSL/TLS ciphers or weak signature algorithms, unless accompanied by a working proof of concept of an exploit
• Any resources which happen to contain mapbox in their name but are not owned Mapbox. For example, if an S3 bucket named mapbox-test was discovered and reported with a vulnerability, and we determine it is not owned by Mapbox, it would be considered ineligible.
• Issues related to buying subscriptions without paying are currently out of scope from our bug bounty program.
• Third-party credential dumps are out of scope unless they demonstrate a vulnerability within Mapbox systems.
• Issues in archived/deprecated code repositories or packages are out of scope.
• API Tokens/Keys that belong to third-party service providers that are used on mapbox.com or docs.mapbox.com.

Ineligible for monetary bounty, but appreciated

The following reports are ineligible for a monetary bounty due to their low severity though they may be available for reputation points. If accompanied by a detailed proof of concept of an exploit leveraging their existence they may be eligible for a cash bounty at Mapbox's discretion.

• Mixed content
• Self-XSS

AI Usage Policy

Disclosure Requirement

If you have used AI tools to help create or identify your vulnerability report, you must clearly disclose this at the beginning of your submission.

Important Guidelines

• All AI-generated claims will be thoroughly scrutinized
• You are responsible for verifying all information provided by AI tools
• Reports that appear to be entirely AI-generated without human validation may be rejected
• All reports must include technical validation through proof of concept, reproduction video, or debugging evidence
• Low-quality or out-of-scope reports may be closed as "Not Applicable" or "Spam" at our discretion.