Fitbit bug bounty program now pays for vulnerability reports

Bug hunters can expect to be paid for their efforts now the Fitbit public and private programs have merged.
Written by Charlie Osborne, Contributing Writer
Max Pixel

Fitbit has expanded its public bug bounty program to offer financial incentives for vulnerability discoveries.

On Wednesday, Bugcrowd, which hosts the Fitbit program, announced the inclusion of paid rewards at up to $2,500 per vulnerability.

The public bug bounty scheme, hosted on Bugcrowd, asks bug hunters to focus on vulnerabilities in web domains such as fitbit.com, api.fitbit.com, android-api.fitbit.com, and dev.fitbit.com.

Bugs which may compromise dashboard and user settings, the Fitbit store, the API, and sync apps for the Mac, Windows, iOS, and Android operating systems are of interest. In addition, the program has been expanded to include the new Fitbit Ionic smartwatch.

The company will pay between $100 and $2,500 for valid security flaws, potentially including cross-site scripting (XSS) bugs, vulnerabilities which permit remote code execution, and domain or session hijacking.

The financial reward depends on the severity of the vulnerability discovered, although there are no guidelines at the time of writing on how these amounts will be calculated.

To date, researchers have disclosed 118 vulnerabilities through the program, but with cash now on offer, it is possible that new players will join the hunt.

"As the leading global wearables brand, Fitbit has always been committed to protecting consumer privacy and keeping data safe," said Marc Bown, senior director of security at Fitbit. "We're constantly looking for ways to strengthen our security and partnering with Bugcrowd to leverage its global network will help us continue to develop industry-leading security practices while delivering the best health and fitness experiences for our users."

Bug bounties have become integral to many security programs. Technology giants including Apple, Google, Samsung, and Microsoft all offer financial rewards to security researchers for disclosing vulnerabilities.

See also: Zerodium offers $45,000 for Linux zero-day vulnerabilities

Intel joined the bug bounty circuit in 2017 with opening offers of up to $30,000 for critical issues. Researchers can earn up to $7,500 for critical software bugs, up to $10,000 for critical firmware security flaws, and up to $30,000 for critical hardware vulnerabilities.

In 2017, Google awarded vulnerability hunters $2.9 million through bug bounties, with close to $12 million being awarded since 2010.

10 steps to erase your digital footprint

Previous and related coverage

    Bug bounty hunter reveals DJI SSL, firmware keys have been public for years

    Opinion: The researcher has discarded $30,000 to ensure there is full public disclosure of the drone maker's poor security and revealing how not every bug bounty hunt ends well.

    Researcher discloses 10 D-Link zero-day router flaws

    The security researcher says the general public should immediately disconnect their router until patches are available.

    Triton exploited zero-day flaw to target industrial systems

    Schneider Electric has revealed how the Trojan managed to disrupt core industrial systems in the Middle East.

      Editorial standards