Context

Withings creates connected devices that make better health part of daily life. Our clinically validated and multi-award winning range is used by millions worldwide, and includes smart scales, hybrid watches, sleep analyzers and more. Everything connects to our app, which helps people get deep insights on their health, and find tailored programs to improve it.

With the goal of improving the security of our users and partners, we decided to launch a Bug Bounty program because we believe that security researchers will greatly help us achieve this goal.

To start our public program, we focus on our public API, our login portal and our web application Withings App. The scope of our public program will grow over the time.

Program Rules

If you are working on this program, you must abide by all of the following rules:

• You must be the first reporter of a valid vulnerability (any duplicate reports will not be rewarded)
• Denial of service attacks are prohibited.
• Under no circumstances should you disclose, manipulate or destroy user data.
• Public or private disclosure of a vulnerability is prohibited.
• Disclose the vulnerability report exclusively through Yes We Hack.
• You must not be a current or former employee of Withings.
• Never attempt non-technical attacks such as social engineering, phishing or physical attacks.
• You must not violate any local, state, national or international law.
• You are only allowed to perform tests on your own devices.
• In the event of non-compliance with the rules, Withings reserves the right to take legal action against the transgressor.

Documentation

Public API (https://wbsapi.withings.net) documentation is available here.