Fitbit's mission is to empower people to lead healthier, more active lives by providing them with data, inspiration, and guidance to reach their goals. To achieve this mission, we must earn and maintain the trust of our users that we will protect the privacy and security of their data.
We see the community as a key partner in our efforts to ensure our systems and users' data remain safe. We're grateful for all information responsibly disclosed to us.
Last updated 2 Oct 2018 19:16:38 UTC
Technical severity | Reward range
p1 Critical | $2,000 - $2,500
p2 Severe | $1,200 - $1,500
p3 Moderate | $300 - $500
p4 Low | Starting at: $100
P5 submissions do not receive any rewards for this program.
Target name | Type
www.fitbit.com | Website
api.fitbit.com | Website
Fitbit Hardware Devices | Hardware
*-client.fitbit.com | API
*-api.fitbit.com | API
dev.fitbit.com | Website
studio.fitbit.com | Website
coach.fitbit.com | Website
api.fitstar.com | Website
corporate.fitbit.com | Website
Fitbit Connect for MacOS & Windows | Other
"Fitbit" app for Android | Android
"Fitbit" app for iOS | iOS
"Fitbit" app for Windows 10 & Mobile | Other
"Fitbit Coach" app for Android | Android
"Fitbit Coach" app for iOS | iOS
"Fitbit Coach" app for Windows 10 & Mobile | Other
"Fitstar Yoga" app for iOS | iOS
The following types of attacks are not authorized for this bounty program:
You may test vulnerabilities against your own accounts, but you must not attack other users or otherwise impair their experience on the platform.
Signup for a Fitbit account here
Fitbit Mobile apps:
Fitbit client applications:
API Information and Documentation:
Please ensure that you're running the latest version of our applications &
We will not accept submissions in outdated firmware versions or application builds.
We are interested in the following issues related to our smartwatches:
The scope of our interest includes applications running on the tracker, the
iOS/Android/Windows companion applications and the runtime environment.
Any vulnerabilities found in third-party developed applications available for download through the Fitbit app gallery are not in-scope for rewards.
Whilst we will not pay bounties on security issues found in third party applications, we will accept submissions and attempt to pass them on to the developer.
Resources are out of scope unless specifically listed above. In particular, please note that community.fitbit.com, and help.fitbit.com are notable examples of resources not in scope.
Please note, we do not provide logins for our corporate wellness programs (corporate.fitbit.com) for bug bounty participants.
Please read and follow the rules in the Standard Disclosure Terms.
Note: This program is considered a 1st identification only, no pivoting bounty. If you find a critical issue and wish to prove the threat scenario please use the comment system and describe it thoroughly. Do not go past the 1st identified vulnerability in testing. Do not exfiltrate any internal data.
Priority | Reward ($)
P1 | $2000 - $2500
P2 | $1200 - $1500
P3 | $300 - $500
P4 | $100
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.
|Scope Type||Scope Name|
"Fitbit" app for Android
"Fitbit Coach" app for Android
Fitbit Hardware Devices
"Fitbit" app for iOS
"Fitbit Coach" app for iOS
"Fitstar Yoga" app for iOS
Fitbit Connect for MacOS & Windows
"Fitbit" app for Windows 10 & Mobile
"Fitbit Coach" app for Windows 10 & Mobile
Firebounty have crawled on 2015-10-20 the programe Fitbit on the platform Bugcrowd.