Fitbit's mission is to empower people to lead healthier, more active lives by providing them with data, inspiration and guidance to reach their goals. To achieve this mission, we must earn and maintain the trust of our users that we will protect the privacy and security of their data.

We see the community as a key partner in our efforts to ensure our systems and users' data remain safe. We're grateful for all information responsibly disclosed to us.

Focus Areas

  • Web
    • Dashboard and User Settings
    • Store
    • Corporate Wellness
  • API
  • Sync Clients on Mac, Windows, iOS, Android

Targets

In scope

  • corporate.fitbit.com
  • <Latest released Fitstar Personal Trainer for iOS>
  • <Latest released Fitstar Personal Trainer for Android>
  • <Latest released Fitstar Yoga for iOS>
  • <Latest released "Fitbit" app for iOS>
  • <Latest released "Fitbit" app for Android>
  • <Latest released "Fitbit" app for Windows 10+>
  • <Latest released Fitbit Connect 2.x for MacOS>
  • <Latest released Fitbit Connect 2.x (for users of Windows < 10)>
  • dev.fitbit.com
  • api.fitstar.com
  • app.fitstar.com
  • iphone-client.fitbit.com
  • iphone-api.fitbit.com
  • desktop-client.fitbit.com
  • desktop-api.fitbit.com
  • android-client.fitbit.com
  • android-api.fitbit.com
  • api.fitbit.com
  • www.fitbit.com

This program does not require a Fitbit device to participate.

  • Signup for a Fitbit account at https://www.fitbit.com/signup

Download Fitbit apps

  • iOS - https://itunes.apple.com/us/app/fitbit/id462638897?mt=8
  • Android - https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile&hl=en

Download Fitbit client application:

  • Mac OS - https://www.fitbit.com/setup?platform=mac
  • Windows < 10 - https://www.fitbit.com/setup?platform=win
  • Windows 10+/Windows Phone - https://www.fitbit.com/setup?platform=win10

API Information and Documentation:

  • http://dev.fitbit.com/

Out of Scope Resources

Resources are out of scope unless specifically listed above. In particular, please note that Fitstar.com,community.fitbit.com, andhelp.fitbit.com are notable examples of resources not in scope.

Please note, we do not provide logins for our corporate wellness programs (corporate.fitbit.com) for bug bounty participants, however we are interested to hear about unauthenticated issues within the site.

Please read and follow the rules in the Standard Disclosure Terms.

Note: This program is considered a 1st identification only, no pivoting bounty. If you find a critical issue and wish to prove the threat scenario please use the comment system and describe it thoroughly. Do not go past the 1st identified vulnerability in testing. Do not exfiltrate any internal data.

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Self-XSS and issues exploitable only through Self-XSS.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • Bug reports speculating on rate limiting behavior (or absence thereof) if you were to submit a huge number of requests. (Note that Standard Bugcrowd Terms already exclude actually DoS’ing.)
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • The following SSL Issues:
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
  • Note: While non exploitable SSL vulnerabilities are out of scope, remotely exploitable SSL bugs on the binaries or the website will be considered.
  • Reports pertaining to DKIM, SPF, and related email anti-spam technology

Out of Scope bugs for Android apps

  • Shared links leaked through the system clipboard.
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage
  • Lack of obfuscation is out of scope
  • oauth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app

Out of Scope bugs for iOS apps

  • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries
  • Absence of certificate pinning
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • Lack of jailbreak detection is out of scope
  • oauth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)

Out of Scope for Mac/Windows apps

  • Local attacks that require an attacker to already have root/Administrator privilege on the “victim” system
  • Local attacks which only work when security misconfigurations are introduced on the “victim” system (example: systems where users have made c:\ world-writable).
  • Privilege escalations in which the attacker is assumed to already have code execution in the victim's account, and where the escalation requires socially engineering the victim to elevate privileges e.g. through UAC.

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.