This customer blog originally appeared on Fitbit’s engineering blog, written by Katie Foster, security engineer at Fitbit.
Fitbit has always been committed to protecting consumer privacy and keeping data safe. Our internal security team is constantly testing our products for vulnerabilities as we strive to continuously strengthen our security. And, as our devices become more and more complex, we are more mindful than ever that weaknesses can be difficult to identify. That’s why Fitbit has been partnering with Bugcrowd – a crowdsourced security solution. Bugcrowd utilizes a global team of security researchers to help companies discover and remediate software vulnerabilities.
And today we’re extending our security bug bounty program to include a paid, public program.
Through Bugcrowd’s platform, security researchers from all over the world can test our software and devices. To thank researchers for their time and effort in discovering security issues, we will offer financial rewards (between the range of US$100 – US$2500) for any valid, non-duplicate submissions.
The expansion of our bug bounty program is a natural progression of the success we have experienced working with Bugcrowd in the past. We started our journey by initially offering a public “kudos” program – rewarding researchers with recognition and a thank you from us when they’ve helped in identifying a security issue. Shortly after, we decided to venture into paid bounties with a private program. To date, we have rewarded over $60,000 to researchers with an average payout of $600 per submission.
The addition of a public, reward-based program complements our internal security assurance and testing capability. Increasing the interest of security researchers to our program allows us to extend the size of our security team; there are over 60,000 researchers on the Bugcrowd platform. The use of Bug Crowd enables Fitbit to have a depth and breadth of security testing at an unprecedented scale.
Security at this scale means that vulnerabilities are discovered even faster and in some very innovative ways. Adding our newest hardware devices to the program, including the Fitbit Ionic smartwatch and Aria 2 scale, also offer an interesting landscape for researchers to test on. To date, we have had around 400 researchers who have submitted findings to us. We look forward to collaborating even more with the security research community and are proud to help lead the industry with this standard of security engagement.
If you are interested in checking out the program or participating, please head over to our page on Bugcrowd.