Fitbit

  • $100 – $2,500 per vulnerability
  • Managed by Bugcrowd

Program stats

150 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$300 average payout (last 3 months)

Latest hall of famers

Recently joined this program

573 total

Fitbit's mission is to empower people to lead healthier, more active lives by providing them with data, inspiration, and guidance to reach their goals. To achieve this mission, we must earn and maintain the trust of our users that we will protect the privacy and security of their data.

We see the community as a key partner in our efforts to ensure our systems and users' data remain safe. We're grateful for all information responsibly disclosed to us.

Reward Range

Last updated 2018-07-12 22:29:44 UTC
Technical severity Reward range
p1 Critical $2,000 - $2,500
p2 Severe $1,200 - $1,500
p3 Moderate $300 - $500
p4 Low Starting at: $100
P5 submissions do not receive any rewards for this program.

Targets

In scope

Prohibited testing

The following types of attacks are not authorized for this bounty program:

  • Any type of denial of service attack
  • High volume automated submission of contact forms (please don't do it)
  • Social engineering and phishing
  • Physical access to infrastructure
  • Automated scans

You may test vulnerabilities against your own accounts, but you must not attack other users or otherwise impair their experience on the platform.

Focus Areas

  • Web Application
    • Dashboard and User Settings
    • Store
    • Corporate Wellness
    • Fitbit Developer Platform (https://studio.fitbit.com)
  • API
  • Sync Clients on Mac, Windows, iOS, Android
  • Fitbit OS (running on Ionic & Versa hardware devices)

Getting started with testing

Signup for a Fitbit account here

Fitbit Mobile apps:

Fitbit client applications:

API Information and Documentation:

Please ensure that you're running the latest version of our applications & device firmware.

Fitbit OS

As part of the addition of our smart watches to our Bug Bounty program, we are interested in the following issues:

  • Sandbox escapes
  • Permission bypasses
  • Information leaks

We are interested in issues impacting applications running on the tracker, the iOS/Android companion applications and the runtime environment.

Issues in non-Fitbit developed applications

Any vulnerabilities found in third-party developed applications available for download through the Fitbit app gallery and not in-scope for rewards. Whilst we will not pay bounties on security issues found in third party applications, we will accept submissions and attempt to pass them on to the developer.

Out of Scope Resources

Resources are out of scope unless specifically listed above. In particular, please note that community.fitbit.com, and help.fitbit.com are notable examples of resources not in scope.

Please note, we do not provide logins for our corporate wellness programs (corporate.fitbit.com) for bug bounty participants, however we are interested to hear about unauthenticated issues within the site.

Please read and follow the rules in the Standard Disclosure Terms.

Note: This program is considered a 1st identification only, no pivoting bounty. If you find a critical issue and wish to prove the threat scenario please use the comment system and describe it thoroughly. Do not go past the 1st identified vulnerability in testing. Do not exfiltrate any internal data.

The following finding types are specifically excluded from the bounty:

  • Bug reports speculating on rate limiting behavior (or absence thereof) if you were to submit a huge number of requests (note: the standard Bugcrowd terms already exclude DoS attacks)
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Self-XSS and issues exploitable only through Self-XSS.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • The following SSL Issues:
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
  • Note: While non exploitable SSL vulnerabilities are out of scope, remotely exploitable SSL bugs on the binaries or the website will be considered.
  • Reports pertaining to DKIM, SPF, and related email anti-spam technology

Out of Scope bugs for Mobile apps:

  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on the file system
  • Lack of obfuscation
  • Lack of binary protection (anti-debugging), jailbreak detection or exploit mitigation controls
  • oauth "app secret" hard-coded/recoverable in apk/ipa
  • Crashes due to malformed URL Schemes / Intents
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • Path disclosure in the binary
  • Shared links leaked through the system clipboard
  • Any kind of sensitive data stored in app private directory

Out of Scope for Mac/Windows apps

  • Local attacks that require an attacker to already have root/Administrator privilege on the victim system
  • Local attacks which only work when security misconfigurations are introduced on the victim system (example: systems where users have made c:\ world-writable).
  • Privilege escalations in which the attacker is assumed to already have code execution in the victim's account, and where the escalation requires socially engineering the victim to elevate privileges e.g. through UAC.

Scoping information for Hardware Devices

  • The hardware devices in scope for this program are the Aria 2, Ionic and Versa. All other hardware devices are not applicable for rewards.
  • Any physical attacks on hardware devices (i.e. any attacks that require you to physically interact with the device) are excluded from this program.
  • Device DoS attacks conducted via Fitbit applications are out of scope.

Program Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.