|Scope Type||Scope Name|
|android_application||"Fitbit" app for Android|
|android_application||"Fitbit Coach" app for Android|
|ios_application||"Fitbit" app for iOS|
|ios_application||"Fitbit Coach" app for iOS|
|ios_application||"Fitstar Yoga" app for iOS|
|other||Fitbit Connect for MacOS & Windows|
|other||"Fitbit" app for Windows 10 & Mobile|
|other||"Fitbit Coach" app for Windows 10 & Mobile|
Fitbit's mission is to empower people to lead healthier, more active lives by providing them with data, inspiration, and guidance to reach their goals. To achieve this mission, we must earn and maintain the trust of our users that we will protect the privacy and security of their data.
We see the community as a key partner in our efforts to ensure our systems and users' data remain safe. We're grateful for all information responsibly disclosed to us.
Last updated 2 Oct 2018 19:16:38 UTC
Technical severity | Reward range
p1 Critical | $2,000 - $2,500
p2 Severe | $1,200 - $1,500
p3 Moderate | $300 - $500
p4 Low | Starting at: $100
P5 submissions do not receive any rewards for this program.
Target name | Type
www.fitbit.com | Website
api.fitbit.com | Website
Fitbit OS | IoT
android-api.fitbit.com | Website
android-client.fitbit.com | Website
desktop-api.fitbit.com | Website
desktop-client.fitbit.com | Website
iphone-api.fitbit.com | Website
web-api.fitbit.com | API
iphone-client.fitbit.com | Website
api.fitstar.com | Website
dev.fitbit.com | Website
studio.fitbit.com | Website
corporate.fitbit.com | Website
coach.fitbit.com | Website
Fitbit Connect for MacOS & Windows | Other
"Fitbit" app for Android | Android
"Fitbit" app for iOS | iOS
"Fitbit" app for Windows 10 & Mobile | Other
"Fitbit Coach" app for Android | Android
"Fitbit Coach" app for iOS | iOS
"Fitbit Coach" app for Windows 10 & Mobile | Other
"Fitstar Yoga" app for iOS | iOS
Fitbit Ionic | IoT
Fitbit Versa | IoT
The following types of attacks are not authorized for this bounty program:
You may test vulnerabilities against your own accounts, but you must not attack other users or otherwise impair their experience on the platform.
Signup for a Fitbit account here
Fitbit Mobile apps:
Fitbit client applications:
API Information and Documentation:
Please ensure that you're running the latest version of our applications & device firmware.
As part of the addition of our smart watches to our Bug Bounty program, we are interested in the following issues:
We are interested in issues impacting applications running on the tracker, the iOS/Android companion applications and the runtime environment.
Any vulnerabilities found in third-party developed applications available for download through the Fitbit app gallery are not in-scope for rewards. Whilst we will not pay bounties on security issues found in third party applications, we will accept submissions and attempt to pass them on to the developer.
Resources are out of scope unless specifically listed above. In particular, please note that community.fitbit.com, and help.fitbit.com are notable examples of resources not in scope.
Please note, we do not provide logins for our corporate wellness programs (corporate.fitbit.com) for bug bounty participants, however we are interested to hear about unauthenticated issues within the site.
Please read and follow the rules in the Standard Disclosure Terms.
Note: This program is considered a 1st identification only, no pivoting bounty. If you find a critical issue and wish to prove the threat scenario please use the comment system and describe it thoroughly. Do not go past the 1st identified vulnerability in testing. Do not exfiltrate any internal data.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.