Case Study: Mapbox achieves reduced noise and faster vulnerability triage with HackerOne

How the security team at Mapbox have grown from a simple vulnerability disclosure policy to a robust and competitive bug bounty program. Written by Alex Ulsh from Mapbox

Mapbox, a fast-growing mapping platform, moved from a simple security@ email and disclosure page to a formal bug bounty program to handle increasing report volume, triage burden, and the need to scale security operations. Early challenges included noisy and duplicate reports, manual bounty payments, slow response times, and the difficulty of growing the program without overwhelming the security team.

Mapbox solved this by running a private then public program on HackerOne and by tightening program controls—adding a strict signal requirement, a detailed ineligible-issues list on their program page, automated triggers with common responses, and a revamped Incident Response Framework. The changes reduced noise, increased the share of valid reports (11% to 15%), raised average bounty size ($458 to $521), and cut average first-response time from five days to two days (recently as low as 19 hours), while maintaining comparable resolution times to peers and improving researcher engagement.

Mapbox

Alex Ulsh

Information Security Engineer