Fitbit bug bounty program now pays for vulnerability reports

Bug hunters can expect to be paid for their efforts now the Fitbit public and private programs have merged.

 

 

screen-shot-2018-02-12-at-06-37-10.jpg

 

 

 

Fitbit has expanded its public bug bounty program to offer financial incentives for vulnerability discoveries.

On Wednesday, Bugcrowd, which hosts the Fitbit program, announced the inclusion of paid rewards at up to $2,500 per vulnerability.

The public bug bounty scheme, hosted on Bugcrowd, asks bug hunters to focus on vulnerabilities in web domains such as fitbit.com, api.fitbit.com, android-api.fitbit.com, and dev.fitbit.com.

Bugs which may compromise dashboard and user settings, the Fitbit store, the API, and sync apps for the Mac, Windows, iOS, and Android operating systems are of interest. In addition, the program has been expanded to include the new Fitbit Ionic smartwatch.

The company will pay between $100 and $2,500 for valid security flaws, potentially including cross-site scripting (XSS) bugs, vulnerabilities which permit remote code execution, and domain or session hijacking.

The financial reward depends on the severity of the vulnerability discovered, although there are no guidelines at the time of writing on how these amounts will be calculated.

To date, researchers have disclosed 118 vulnerabilities through the program, but with cash now on offer, it is possible that new players will join the hunt.

"As the leading global wearables brand, Fitbit has always been committed to protecting consumer privacy and keeping data safe," said Marc Bown, senior director of security at Fitbit. "We're constantly looking for ways to strengthen our security and partnering with Bugcrowd to leverage its global network will help us continue to develop industry-leading security practices while delivering the best health and fitness experiences for our users."

Bug bounties have become integral to many security programs. Technology giants including Apple, Google, Samsung, and Microsoft all offer financial rewards to security researchers for disclosing vulnerabilities.

Intel joined the bug bounty circuit in 2017 with opening offers of up to $30,000 for critical issues. Researchers can earn up to $7,500 for critical software bugs, up to $10,000 for critical firmware security flaws, and up to $30,000 for critical hardware vulnerabilities.

In 2017, Google awarded vulnerability hunters $2.9 million through bug bounties, with close to $12 million being awarded since 2010.

Comments are closed.

%d bloggers like this: