Mapbox

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
https://www.mapbox.com/api-documentation URL medium medium medium critical
The Mapbox web services APIs allow for programmatic access to Mapbox tools and services. - [Maps API](https://www.mapbox.com/api-documentation/#maps) - [Styles API](https://www.mapbox.com/api-documentation/#styles) - [Geocoding API](https://www.mapbox.com/api-documentation/#geocoding) - [Uploads API](https://www.mapbox.com/api-documentation/#uploads) - [Surface API](https://www.mapbox.com/api-documentation/surface.html) - [Static API](https://www.mapbox.com/api-documentation/#static) - [Static Classic API](https://www.mapbox.com/api-documentation/#static-classic) - [Map Matching API](https://www.mapbox.com/api-documentation/#map-matching) - [Directions API (developer preview)](https://www.mapbox.com/api-documentation/#directions) - [Datasets API (developer preview)](https://www.mapbox.com/api-documentation/#datasets)
https://www.mapbox.com/mapbox-gl-js/ SOURCE_CODE medium medium medium critical
Mapbox GL JS is a JavaScript library that uses WebGL to render interactive maps from vector tiles and Mapbox styles. It is part of the Mapbox GL ecosystem, which includes Mapbox Mobile, a compatible renderer written in C++ with bindings for desktop and mobile platforms.
https://www.mapbox.com/mapbox.js/ SOURCE_CODE medium medium medium critical
Mapbox.js open source SDK
https://www.mapbox.com/mobile/ SOURCE_CODE medium medium medium critical
Mapbox Mobile open source SDK
www.mapbox.com URL medium medium medium critical
- https://mapbox.com - https://www.mapbox.com/studio/ - https://www.mapbox.com/editor/
https://github.com/mapbox SOURCE_CODE medium medium medium critical
Mapbox has 700+ public Github repositories that are within scope, though only reports that can be actively exploited on Mapbox infrastructure will be eligible for a monetary bounty. Submissions on assets containing the "Mapbox" name but not owned by Mapbox are not eligible for bounty. Some repositories in the Mapbox GitHub organization may contain experimental code and are not eligible for a bounty. * Please submit any open source security issues directly to HackerOne, do not open security-related issues on public Github repositories. * Please send any questions about the eligibility of an open source repository to security@mapbox.com. A few of our popular open-source repositories: [node-sqlite3](https://github.com/mapbox/node-sqlite3) | [node-pre-gyp](https://github.com/mapbox/node-pre-gyp) | [carmen](https://github.com/mapbox/carmen) | [tilelive](https://github.com/mapbox/tilelive)
https://www.mapbox.com/android-docs/maps/overview/ SOURCE_CODE medium medium medium critical
Maps SDK for Android
https://www.mapbox.com/ios-sdk/maps/overview/ SOURCE_CODE medium medium medium critical
Maps SDK for iOS
api.mapbox.com URL high high high critical
Our APIs are the primary interface to Mapbox for many of our customers, and all actions a customer can take on their account run through them.
https://docs.mapbox.com/android/ SOURCE_CODE medium medium medium critical
[Maps SDK for Android](https://docs.mapbox.com/android/maps/overview/) [Navigation SDK for Android](https://docs.mapbox.com/android/navigation/overview/)
https://docs.mapbox.com/api/ URL medium medium medium critical
The Mapbox web services APIs allow for programmatic access to Mapbox tools and services. - [Accounts Service APIs](https://docs.mapbox.com/api/accounts/) - [Maps Service APIs](https://docs.mapbox.com/api/maps/) - [Navigation Service APIs](https://docs.mapbox.com/api/navigation/) - [Search Service APIs](https://docs.mapbox.com/api/search/)
https://docs.mapbox.com/ios/maps/overview/ SOURCE_CODE medium medium medium critical
[Maps SDK for iOS](https://docs.mapbox.com/ios/maps/overview/)

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
Submissions on out-of-scope assets listed below will be closed as N/A OTHER none
- `status.mapbox.com` - please instead report to the [StatusPage.io bug bounty program](https://bugcrowd.com/statuspage) - `email.mapbox.com` - [Mapbox Studio Classic](https://www.mapbox.com/mapbox-studio-classic/) - [Tilemill](https://www.mapbox.com/tilemill/) - [Legacy iOS SDK](https://github.com/mapbox/mapbox-ios-sdk-legacy) - [Legacy Android SDK](https://github.com/mapbox/mapbox-android-sdk-legacy) - [osm-navigation-map](https://github.com/mapbox/osm-navigation-map)(deprecated)
geojson.io URL none
Geojson.io is considered deprecated and no longer maintained. The original developer has forked the code and maintains <https://geojson.net> . As such, Mapbox considers <https://geojson.io> to be out of scope for our security program.