Fitbit has upped its commitment to security by offering financial rewards for discoveries of vulnerabilities as a part of its public bug bounty program. On Wednesday the Fitbit program, being hosted on Bugcrowd, announced that it would include paid rewards up to $2,500 for any confirmed security flaws.
The program has listed desired focus areas for hunters to search for bugs including the API, dashboard and user settings, the Fitbit store, Sync Clients on Mac, Windows, iOS, Android, and Aria 2 & Ionic hardware devices. Listed domains of interest include fitbit.com, api.fitbit.com, android-api.fitbit.com and many more.
Fitbit breaks their rewards into tiers based on priority, with priority four (the lowest priority) paying out $100, priority three paying up to $500, priority two paying up to $1,500 and priority one paying up to $2,500. It has not yet been disclosed how the priority level is determined. To date there have been 122 vulnerabilities rewarded with the average payout being $200.
A number of major players in the API space have offered bug bounty programs including Facebook, Google, Apple, and Uber. These programs benefit the hunters through the payouts but also the companies which are able to crowd source the tracking of bugs in an effort to improve the security of their applications and products.