• $100 – $2,500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

236 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$476.47 average payout (last 3 months)

Recently joined this program

1139 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Fitbit's mission is to empower people to lead healthier, more active lives by providing them with data, inspiration, and guidance to reach their goals. To achieve this mission, we must earn and maintain the trust of our users that we will protect the privacy and security of their data.

We see the community as a key partner in our efforts to ensure our systems and users' data remain safe. We're grateful for all information responsibly disclosed to us.

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,000 - $2,500
p2 Severe $1,200 - $1,500
p3 Moderate $300 - $500
p4 Low Starting at: $100
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags Website Testing
  • jQuery
  • Lodash
  • Bootstrap
  • Adobe Experience Manager
  • Handlebars
  • Java
  • Newrelic
  • Website Testing Website Testing
  • API Testing
  • Website Testing
Fitbit Hardware Devices Hardware Testing
  • Hardware Testing
* API Testing
  • API Testing
  • HTTP
* API Testing
  • API Testing
  • HTTP Website Testing
  • jQuery
  • Javascript
  • Cloudflare CDN
  • Website Testing Website Testing
  • ReactJS
  • Lodash
  • Cloudflare CDN
  • Website Testing Website Testing
  • Ruby on Rails
  • jQuery
  • Angular
  • Ruby
  • Stripe
  • Newrelic
  • Website Testing Website Testing
  • API Testing
  • Website Testing Website Testing
  • Moment.js
  • jQuery
  • Handlebars
  • Website Testing
Fitbit Connect for MacOS & Windows Other
"Fitbit" app for Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
"Fitbit" app for iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
"Fitbit" app for Windows 10 & Mobile Other
  • Desktop Application Testing
  • Windows
"Fitbit Coach" app for Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
"Fitbit Coach" app for iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
"Fitbit Coach" app for Windows 10 & Mobile Other
  • Desktop Application Testing
  • Windows
"Fitstar Yoga" app for iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI

Out of scope

Target name Type
store-* Website Testing Website Testing Website Testing Website Testing

Prohibited testing

The following types of attacks are not authorized for this bounty program:

  • Any type of denial of service attack
  • High volume automated submission of contact forms (please don't do it)
  • Social engineering and phishing
  • Physical access to infrastructure

You may test vulnerabilities against your own accounts, but you must not attack other users or otherwise impair their experience on the platform.

Focus Areas

  • Web Application
    • Dashboard and User Settings
    • Corporate Wellness
    • Fitbit Developer Platform (
  • Fitbit API
  • Fitbit Mac, Windows, iOS & Android Clients
  • Fitbit OS (running on the Ionic & Versa family of hardware devices)
  • Fitbit hardware devices

Getting started with testing

Signup for a Fitbit account here

Fitbit Mobile apps:

Fitbit client applications:

API Information and Documentation:

Please ensure that you're running the latest version of our applications & device firmware.
We will not accept submissions in outdated firmware versions or application builds.

Fitbit OS

We are interested in the following issues related to our smartwatches:

  • Sandbox escapes
  • Permission bypasses
  • Information leaks

The scope of our interest includes applications running on the tracker, the iOS/Android/Windows companion applications and the runtime environment.
Any vulnerabilities found in third-party developed applications available for download through the Fitbit app gallery are not in-scope for rewards.
Whilst we will not pay bounties on security issues found in third party applications, we will accept submissions and attempt to pass them on to the developer.

Out of Scope Resources

Resources are out of scope unless specifically listed above. In particular, please note that, and the Fitbit Web Store (store-* & are notable examples of resources not in scope.

Please note, we do not provide logins for our corporate wellness programs ( for bug bounty participants.

Please read and follow the rules in the Standard Disclosure Terms.

Note: This program is considered a 1st identification only, no pivoting bounty. If you find a critical issue and wish to prove the threat scenario please use the comment system and describe it thoroughly. Do not go past the 1st identified vulnerability in testing. Do not exfiltrate any internal data.


Priority Reward ($)
P1 $2000 - $2500
P2 $1200 - $1500
P3 $300 - $500
P4 $100

The following finding types are specifically excluded from the bounty:

  • Bug reports speculating on rate limiting behavior (or absence thereof) if you were to submit a huge number of requests (note: the standard Bugcrowd terms already exclude DoS attacks)
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Self-XSS and issues exploitable only through Self-XSS.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (, e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • The following SSL Issues:
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
  • Note: While non exploitable SSL vulnerabilities are out of scope, remotely exploitable SSL bugs on the binaries or the website will be considered.
  • Reports pertaining to DKIM, SPF, and related email anti-spam technology

Out of Scope bugs for Mobile apps:

  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on the file system
  • Lack of obfuscation
  • Lack of binary protection (anti-debugging), jailbreak detection or exploit mitigation controls
  • oauth "app secret" hard-coded/recoverable in apk/ipa
  • Crashes due to malformed URL Schemes / Intents
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • Path disclosure in the binary
  • Shared links leaked through the system clipboard
  • Any kind of sensitive data stored in app private directory

Out of Scope for Mac/Windows apps

  • Local attacks that require an attacker to already have root/Administrator privilege on the victim system
  • Local attacks which only work when security misconfigurations are introduced on the victim system (example: systems where users have made c:\ world-writable).
  • Privilege escalations in which the attacker is assumed to already have code execution in the victim's account, and where the escalation requires socially engineering the victim to elevate privileges e.g. through UAC.

Scoping information for Hardware Devices

  • All of our hardware devices are in scope for this program, with the exception of any device which is no longer supported. A listing of devices which are no longer supported can be found here.
  • Any physical attacks on hardware devices (i.e. any attacks that require you to physically interact with the device) are excluded from this program.
  • Device DoS attacks conducted via Fitbit applications are out of scope.

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Fitbit not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Fitbit, it may be reported to this program, and is appreciated - but will likely be marked as 'not applicable' and will often not be eligible for monetary or points-based compensation. Based on limited severity and impact, some out of scope findings may be eligible for a reward

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.