Appeared originally on the Fitbit Engineering Blog

We were thrilled to hear today that the Fitbit Security Team has been awarded two awards in Budgrowd’s second annual Buggy awards.  This year we took home the “Best Response Time” and “Program of the Year” awards.

Now that we have three Buggy Awards in our trophy cabinet (we took home “Best Response Time” last year) it feels like a great time to share a little more about what our bug bounty programs, and these awards, mean to us.

Fitbit started our bug bounty journey about 18 months ago and has had a great response to the program from the research community and from our fellow Fitbitters.

From the start we wanted to treat the security community with the respect and gratitude they deserve.  We thought about which program attributes were important to researchers as well as which attributes could frustrate participants in our programs.  We felt that response time and clarity of communications were key, and we set out to maintain a program that excelled at both.

Being awarded the “Best Response Time” award is especially gratifying as it shows that we’re hitting those goals.  This didn’t happen by accident.  It took the work of a few of our dedicated security team members to set up the processes to ensure that we triage and respond to issues in a timely manner.  We’d especially like to thank Jim Hebert who was key to this process.

We are also humbled and honored to have received the Program of Year award.  Bugcrowd tells us that this award looks at several variables including breadth and complexity of scope, reward range, payouts, communication and response time.

When we started our bug bounty program, we wanted to ensure that we were doing it for the right reasons and that we clearly understood what we were trying to achieve.  It’s easy to turn a program on; it’s harder to run a program that is respectful to the security community and that adds meaningful value to the security team’s efforts.

We’ve put a lot of thought and effort into crafting our bounty briefs and evolving our program over time.  That has meant carefully balancing where we’ve invested resources (e.g., by using different combinations of public and private programs, paid and kudos-only programs) and modifying our scope over time to align with our evolving priorities.

Thanks again to the Bugcrowd team and to the security community as a whole.  We look forward to continuing to work with both in the future.  We also hope that we can serve as a model for other security teams, especially in the wearables and IoT space.  Toward that end, we’d also like to congratulate this year’s other Buggy award winner, Tesla, and all of the individual researchers that took home awards. Our experience has shown us that including crowdsourced security as part of a comprehensive security program isn’t always easy, but it is most definitely fruitful and rewarding.