Security & Responsible Disclosure

Last Updated: April 4, 2026

Security is a core responsibility at MapJob. We protect user data, prevent abuse, and maintain the trust of job seekers and employers who rely on our platform. This page describes our security practices and how to report vulnerabilities responsibly.

Security Practices

Encryption

  • In transit: all data between your browser and MapJob's servers is transmitted over HTTPS using TLS 1.2 or later. We use HSTS to prevent protocol downgrades.
  • At rest: data stored in our database and file storage (AWS S3) is encrypted at rest using AES-256.
  • Passwords: passwords are never stored in plain text. We use a strong adaptive hashing algorithm (bcrypt) with appropriate work factors.

Authentication and Access Controls

  • Two-factor authentication (TOTP) is available to all users and required for certain sensitive operations.
  • Sessions are server-managed with short-lived tokens. Sessions are invalidated on logout and after periods of inactivity.
  • Administrative access is limited to staff who require it and is protected by stronger authentication requirements.
  • Database and infrastructure access is restricted to authorized personnel via private networks and managed credentials. No database ports are exposed to the public internet.

Payment Security

  • All payments are processed by Stripe, a PCI DSS Level 1 certified provider.
  • MapJob does not store credit card numbers, CVVs, or full payment card data on our servers.
  • Stripe webhook signatures are verified on every incoming webhook event to prevent forgery.

Infrastructure

  • The platform runs on Vercel (edge and serverless functions) and Neon (PostgreSQL). Both providers maintain their own SOC 2 Type II certification.
  • File uploads (resumes, images) are stored in AWS S3 with signed URLs and access controls. Files are not publicly listable.
  • Rate limiting is applied to authentication endpoints, search, and other high-volume routes to prevent brute-force and abuse.
  • Dependency updates and security patches are applied promptly. We monitor our dependency tree for known vulnerabilities.

Application Security

  • Input validation is performed at every API boundary. SQL injection is prevented by our use of Prisma ORM with parameterized queries.
  • Cross-site scripting (XSS) is mitigated through React's built-in output encoding and Content Security Policy headers.
  • Cross-site request forgery (CSRF) protection is enforced on all state-changing operations.
  • API routes enforce authentication and authorization checks independent of middleware.

Monitoring and Incident Response

  • We monitor our systems for anomalous activity, errors, and signs of abuse.
  • Access logs are retained for 90 days for security investigation purposes.
  • In the event of a confirmed data breach affecting user personal information, we will notify affected users by email and, where required by law, notify relevant regulatory authorities within applicable timeframes.

Responsible Disclosure Policy

We welcome reports from security researchers and users who discover potential vulnerabilities in our platform. If you believe you have found a security vulnerability, we ask that you follow responsible disclosure practices:

How to report

Email your findings to security@mapjob.io. Please include:

  • A clear description of the vulnerability and its potential impact.
  • Steps to reproduce the issue, including any relevant URLs, payloads, or screenshots.
  • Your name or handle if you wish to be credited (optional).

Our commitment to you

  • We will acknowledge your report within 3 business days.
  • We will investigate and keep you informed of our progress.
  • We will work to remediate confirmed vulnerabilities in a timely manner based on severity.
  • We will not take legal action against researchers who report vulnerabilities in good faith and follow this policy.
  • We will credit researchers who responsibly disclose new vulnerabilities, if they wish to be named.

Scope

In-scope systems: mapjob.io and associated subdomains, MapJob APIs, and authentication flows.

Out of scope (please do not test):

  • Denial-of-service (DoS/DDoS) attacks against our infrastructure.
  • Physical security of our service providers.
  • Social engineering or phishing attacks against our staff.
  • Vulnerabilities in third-party services we use (report those directly to the third party).
  • Testing that involves accessing, modifying, or deleting data belonging to other users without their consent.

Please do not

  • Publicly disclose the vulnerability before we have confirmed and addressed it (“coordinated disclosure”).
  • Exploit the vulnerability beyond what is minimally necessary to demonstrate it.
  • Access, exfiltrate, or destroy data that does not belong to you.
  • Disrupt service availability for other users.

Bug Bounty

We do not currently operate a formal paid bug bounty program. We express our gratitude to researchers through public credit (with permission), and we will consider rewards for particularly significant findings on a case-by-case basis. We are evaluating a formal bounty program for the future.

Compliance Aspirations

MapJob is working toward SOC 2 Type II certification. As a Vercel-hosted platform, our infrastructure benefits from Vercel's existing SOC 2 Type II compliance. We follow OWASP Top 10 guidelines for web application security and apply NIST-aligned practices for access management and incident response.

Contact

Security reports: security@mapjob.io
General support: support@mapjob.io