Company
scribblemaps.com
Program URL
https://help.scribblemaps.com/hc/en-us/articles/360049250211-Vulnerabilities-And-Bounties
Contact
No response
Description
No response
Rewards
Program type
bounty
Status
active
Safe harbor
No response
Allows disclosure
No response
Domains
No response
Structured scope
No response
Out of scope
Anonymous community maps. Maps with no owner that are editable by anyone are a long-standing community feature. Saving over an anonymous map is not a vulnerability.
Unlisted (URL-as-credential) maps. Maps without LockView are intentionally accessible to anyone who knows the URL, similar to an unlisted YouTube video. Accessing or saving such a map by knowing its map code is by design.
Third-party software we host but do not maintain. Issues in GeoServer, Tomcat, or other third-party stacks deployed alongside our services. Please report these to the respective upstream maintainers.
Missing security headers without a concrete attack scenario. Reports about CSP, X-Frame-Options, HSTS, etc. without a working exploit are not eligible.
Rate limiting in isolation. Lack of rate limiting on endpoints where rate limiting is not security-critical, without a demonstrated abuse scenario.
Excluded methods
Requires account
No response
Minimum payout
25
Maximum payout
2000
Currency
USD
Payout - critical
No response
Payout - high
No response
Payout - medium
No response
Payout - low
No response
Swag details
No response
Testing policy URL
No response
Response SLA days
No response
Disclosure timeline days
No response
Legal terms URL
No response
Hall of fame URL
No response
Reporting URL
No response
PGP key URL
No response
Preferred languages
No response
Standards
No response
Confirmation
Company
scribblemaps.com
Program URL
https://help.scribblemaps.com/hc/en-us/articles/360049250211-Vulnerabilities-And-Bounties
Contact
No response
Description
No response
Rewards
Program type
bounty
Status
active
Safe harbor
No response
Allows disclosure
No response
Domains
No response
Structured scope
No response
Out of scope
Anonymous community maps. Maps with no owner that are editable by anyone are a long-standing community feature. Saving over an anonymous map is not a vulnerability.
Unlisted (URL-as-credential) maps. Maps without LockView are intentionally accessible to anyone who knows the URL, similar to an unlisted YouTube video. Accessing or saving such a map by knowing its map code is by design.
Third-party software we host but do not maintain. Issues in GeoServer, Tomcat, or other third-party stacks deployed alongside our services. Please report these to the respective upstream maintainers.
Missing security headers without a concrete attack scenario. Reports about CSP, X-Frame-Options, HSTS, etc. without a working exploit are not eligible.
Rate limiting in isolation. Lack of rate limiting on endpoints where rate limiting is not security-critical, without a demonstrated abuse scenario.
Excluded methods
Requires account
No response
Minimum payout
25
Maximum payout
2000
Currency
USD
Payout - critical
No response
Payout - high
No response
Payout - medium
No response
Payout - low
No response
Swag details
No response
Testing policy URL
No response
Response SLA days
No response
Disclosure timeline days
No response
Legal terms URL
No response
Hall of fame URL
No response
Reporting URL
No response
PGP key URL
No response
Preferred languages
No response
Standards
No response
Confirmation