Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
20/10/2015
Fitbit logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

Fitbit

Fitbit's mission is to empower people to lead healthier, more active lives by providing them with data, inspiration, and guidance to reach their goals. To achieve this mission, we must earn and maintain the trust of our users that we will protect the privacy and security of their data.

We see the community as a key partner in our efforts to ensure our systems and users' data remain safe. We're grateful for all information responsibly disclosed to us.

Reward Range

Last updated 2 Oct 2018 19:16:38 UTC

Technical severity | Reward range
---|---
p1 Critical | $2,000 - $2,500
p2 Severe | $1,200 - $1,500
p3 Moderate | $300 - $500
p4 Low | Starting at: $100

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
www.fitbit.com | Website
api.fitbit.com | Website
Fitbit Hardware Devices | Hardware
*-client.fitbit.com | API
*-api.fitbit.com | API
dev.fitbit.com | Website
studio.fitbit.com | Website
coach.fitbit.com | Website
api.fitstar.com | Website
corporate.fitbit.com | Website
Fitbit Connect for MacOS & Windows | Other
"Fitbit" app for Android | Android
"Fitbit" app for iOS | iOS
"Fitbit" app for Windows 10 & Mobile | Other
"Fitbit Coach" app for Android | Android
"Fitbit Coach" app for iOS | iOS
"Fitbit Coach" app for Windows 10 & Mobile | Other
"Fitstar Yoga" app for iOS | iOS

Prohibited testing

The following types of attacks are not authorized for this bounty program:

  • Any type of denial of service attack
  • High volume automated submission of contact forms (please don't do it)
  • Social engineering and phishing
  • Physical access to infrastructure

You may test vulnerabilities against your own accounts, but you must not attack other users or otherwise impair their experience on the platform.

Focus Areas

  • Web Application
    • Dashboard and User Settings
    • Store
    • Corporate Wellness
    • Fitbit Developer Platform (https://studio.fitbit.com)
  • Fitbit API
  • Fitbit Mac, Windows, iOS & Android Clients
  • Fitbit OS (running on the Ionic & Versa family of hardware devices)
  • Fitbit hardware devices

Getting started with testing

Signup for a Fitbit account here

Fitbit Mobile apps:

Fitbit client applications:

API Information and Documentation:

Please ensure that you're running the latest version of our applications & device firmware.
We will not accept submissions in outdated firmware versions or application builds.

Fitbit OS

We are interested in the following issues related to our smartwatches:

  • Sandbox escapes
  • Permission bypasses
  • Information leaks

The scope of our interest includes applications running on the tracker, the iOS/Android/Windows companion applications and the runtime environment.
Any vulnerabilities found in third-party developed applications available for download through the Fitbit app gallery are not in-scope for rewards.
Whilst we will not pay bounties on security issues found in third party applications, we will accept submissions and attempt to pass them on to the developer.

Out of Scope Resources

Resources are out of scope unless specifically listed above. In particular, please note that community.fitbit.com, and help.fitbit.com are notable examples of resources not in scope.

Please note, we do not provide logins for our corporate wellness programs (corporate.fitbit.com) for bug bounty participants.

Please read and follow the rules in the Standard Disclosure Terms.

Note: This program is considered a 1st identification only, no pivoting bounty. If you find a critical issue and wish to prove the threat scenario please use the comment system and describe it thoroughly. Do not go past the 1st identified vulnerability in testing. Do not exfiltrate any internal data.

Rewards:

Priority | Reward ($)
---|---
P1 | $2000 - $2500
P2 | $1200 - $1500
P3 | $300 - $500
P4 | $100

The following finding types are specifically excluded from the bounty:

  • Bug reports speculating on rate limiting behavior (or absence thereof) if you were to submit a huge number of requests (note: the standard Bugcrowd terms already exclude DoS attacks)
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Self-XSS and issues exploitable only through Self-XSS.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • The following SSL Issues:
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
  • Note: While non exploitable SSL vulnerabilities are out of scope, remotely exploitable SSL bugs on the binaries or the website will be considered.
  • Reports pertaining to DKIM, SPF, and related email anti-spam technology

Out of Scope bugs for Mobile apps:

  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on the file system
  • Lack of obfuscation
  • Lack of binary protection (anti-debugging), jailbreak detection or exploit mitigation controls
  • oauth "app secret" hard-coded/recoverable in apk/ipa
  • Crashes due to malformed URL Schemes / Intents
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • Path disclosure in the binary
  • Shared links leaked through the system clipboard
  • Any kind of sensitive data stored in app private directory

Out of Scope for Mac/Windows apps

  • Local attacks that require an attacker to already have root/Administrator privilege on the victim system
  • Local attacks which only work when security misconfigurations are introduced on the victim system (example: systems where users have made c:\ world-writable).
  • Privilege escalations in which the attacker is assumed to already have code execution in the victim's account, and where the escalation requires socially engineering the victim to elevate privileges e.g. through UAC.

Scoping information for Hardware Devices

  • All of our hardware devices are in scope for this program, with the exception of any device which is no longer supported. A listing of devices which are no longer supported can be found here.
  • Any physical attacks on hardware devices (i.e. any attacks that require you to physically interact with the device) are excluded from this program.
  • Device DoS attacks conducted via Fitbit applications are out of scope.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.

In Scope

Scope Type Scope Name
android_application

"Fitbit" app for Android

android_application

"Fitbit Coach" app for Android

hardware

Fitbit Hardware Devices

ios_application

"Fitbit" app for iOS

ios_application

"Fitbit Coach" app for iOS

ios_application

"Fitstar Yoga" app for iOS

other

Fitbit Connect for MacOS & Windows

other

"Fitbit" app for Windows 10 & Mobile

other

"Fitbit Coach" app for Windows 10 & Mobile

web_application

www.fitbit.com

web_application

api.fitbit.com

web_application

api.fitstar.com

web_application

dev.fitbit.com

web_application

studio.fitbit.com

web_application

corporate.fitbit.com

web_application

coach.fitbit.com

web_application

*-client.fitbit.com

web_application

*-api.fitbit.com


Firebounty have crawled on 2015-10-20 the programe Fitbit on the platform Bugcrowd.

FireBounty © 2015-2019

Legal notices