At Mapbox, we highly prioritize security and the trust of our users. We encourage you to report any perceived security issues in our projects or products through the appropriate channels outlined below.

We request that you refrain from reporting security vulnerabilities via public GitHub issues. Instead, we have partnered with HackerOne to provide a secure platform for such reports.

Please visit Mapbox's HackerOne page to submit your report.

For efficient communication, we prefer all correspondences to be conducted in English.

Upon receiving a security bug report, we assign it to a dedicated handler who will oversee the resolution process. This includes:

• Verifying the issue and identifying the affected versions.
• Conducting an audit of the code to uncover any similar potential problems.
• Developing fixes for all impacted releases still under maintenance, which will be released as swiftly as possible.

Please note, public disclosure of the vulnerability will only take place once the issue has been fully resolved. If you report a vulnerability, we guarantee an acknowledgement of your report within 72 hours of submission and will provide regular updates on our progress. After the initial response to your report, we commit to keeping you informed about the progress towards a fix and full announcement, and may ask for additional information or guidance.

We welcome any comments or suggestions on how we can improve this process. Please reach out to us via our support portal at support.mapbox.com.