Fitbit's mission is to empower people to lead healthier, more active lives by providing them with data, inspiration, and guidance to reach their goals. To achieve this mission, we must earn and maintain the trust of our users that we will protect the privacy and security of their data.
We see the community as a key partner in our efforts to ensure our systems and users' data remain safe. We're grateful for all information responsibly disclosed to us.
|Technical severity||Reward range|
|p1 Critical||$2,000 - $2,500|
|p2 Severe||$1,200 - $1,500|
|p3 Moderate||$300 - $500|
|p4 Low||Starting at: $100|
Out of scope
The following types of attacks are not authorized for this bounty program:
- Any type of denial of service attack
- High volume automated submission of contact forms (please don't do it)
- Social engineering and phishing
- Physical access to infrastructure
You may test vulnerabilities against your own accounts, but you must not attack other users or otherwise impair their experience on the platform.
- Web Application
- Dashboard and User Settings
- Corporate Wellness
- Fitbit Developer Platform (https://studio.fitbit.com)
- Fitbit API
- Fitbit Mac, Windows, iOS & Android Clients
- Fitbit OS (running on the Ionic & Versa family of hardware devices)
- Fitbit hardware devices
Getting started with testing
Signup for a Fitbit account here
Fitbit Mobile apps:
Fitbit client applications:
API Information and Documentation:
Please ensure that you're running the latest version of our applications & device firmware.
We will not accept submissions in outdated firmware versions or application builds.
We are interested in the following issues related to our smartwatches:
- Sandbox escapes
- Permission bypasses
- Information leaks
The scope of our interest includes applications running on the tracker, the iOS/Android/Windows companion applications and the runtime environment.
Any vulnerabilities found in third-party developed applications available for download through the Fitbit app gallery are not in-scope for rewards.
Whilst we will not pay bounties on security issues found in third party applications, we will accept submissions and attempt to pass them on to the developer.
Out of Scope Resources
Resources are out of scope unless specifically listed above. In particular, please note that community.fitbit.com, help.fitbit.com and the Fitbit Web Store (store-*.fitbit.com & fitbit.com/store) are notable examples of resources not in scope.
Please note, we do not provide logins for our corporate wellness programs (corporate.fitbit.com) for bug bounty participants.
Please read and follow the rules in the Standard Disclosure Terms.
Note: This program is considered a 1st identification only, no pivoting bounty. If you find a critical issue and wish to prove the threat scenario please use the comment system and describe it thoroughly. Do not go past the 1st identified vulnerability in testing. Do not exfiltrate any internal data.
|P1||$2000 - $2500|
|P2||$1200 - $1500|
|P3||$300 - $500|
The following finding types are specifically excluded from the bounty:
- Bug reports speculating on rate limiting behavior (or absence thereof) if you were to submit a huge number of requests (note: the standard Bugcrowd terms already exclude DoS attacks)
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Self-XSS and issues exploitable only through Self-XSS.
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled
- HTTPS Mixed Content Scripts
- Username / email enumeration
- via Login Page error message
- via Forgot Password error message
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- The following SSL Issues:
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites
- Note: While non exploitable SSL vulnerabilities are out of scope, remotely exploitable SSL bugs on the binaries or the website will be considered.
- Reports pertaining to DKIM, SPF, and related email anti-spam technology
Out of Scope bugs for Mobile apps:
- Absence of certificate pinning
- Sensitive data in URLs/request bodies when protected by TLS
- User data stored unencrypted on the file system
- Lack of obfuscation
- Lack of binary protection (anti-debugging), jailbreak detection or exploit mitigation controls
- oauth "app secret" hard-coded/recoverable in apk/ipa
- Crashes due to malformed URL Schemes / Intents
- Runtime hacking exploits (exploits only possible in a jailbroken environment)
- Path disclosure in the binary
- Shared links leaked through the system clipboard
- Any kind of sensitive data stored in app private directory
Out of Scope for Mac/Windows apps
- Local attacks that require an attacker to already have root/Administrator privilege on the victim system
- Local attacks which only work when security misconfigurations are introduced on the victim system (example: systems where users have made c:\ world-writable).
- Privilege escalations in which the attacker is assumed to already have code execution in the victim's account, and where the escalation requires socially engineering the victim to elevate privileges e.g. through UAC.
Scoping information for Hardware Devices
- All of our hardware devices are in scope for this program, with the exception of any device which is no longer supported. A listing of devices which are no longer supported can be found here.
- Any physical attacks on hardware devices (i.e. any attacks that require you to physically interact with the device) are excluded from this program.
- Device DoS attacks conducted via Fitbit applications are out of scope.
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Fitbit not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Fitbit, it may be reported to this program, and is appreciated - but will likely be marked as 'not applicable' and will often not be eligible for monetary or points-based compensation. Based on limited severity and impact, some out of scope findings may be eligible for a reward