avatar
Bug bounty
Public
Submit report

Withings

French company specialized in connected objects in the field of health.

Reward

Bounty
Hall of fame
€0
Low
€0
Medium
€200
High
€1,500
Critical
€3,000

Program

Avg reward
-
Max reward
-
Scopes
12
Supported languages
English
French

Hacktivity

Reports
180
1st response
< 1 day
Reports last 24h
-
Reports last week
5
Reports this month
5

Context

Withings creates connected devices that make better health part of daily life. Our clinically validated and multi-award winning range is used by millions worldwide, and includes smart scales, hybrid watches, sleep analyzers and more. Everything connects to our app, which helps people get deep insights on their health, and find tailored programs to improve it.

With the goal of improving the security of our users and partners, we decided to launch a Bug Bounty program because we believe that security researchers will greatly help us achieve this goal.

To start our public program, we focus on our public API, our login portal and our web application Withings App. The scope of our public program will grow over the time.

Program Rules

If you are working on this program, you must abide by all of the following rules:

  • You must be the first reporter of a valid vulnerability (any duplicate reports will not be rewarded)
  • Denial of service attacks are prohibited.
  • Under no circumstances should you disclose, manipulate or destroy user data.
  • Public or private disclosure of a vulnerability is prohibited.
  • Disclose the vulnerability report exclusively through Yes We Hack.
  • You must not be a current or former employee of Withings.
  • Never attempt non-technical attacks such as social engineering, phishing or physical attacks.
  • You must not violate any local, state, national or international law.
  • You are only allowed to perform tests on your own devices.
  • In the event of non-compliance with the rules, Withings reserves the right to take legal action against the transgressor.

Documentation

Public API (https://wbsapi.withings.net) documentation is available here.

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Medium
€0€200€1,500€3,000

Scopes

ScopeTypeAsset value
https://wbsapi.withings.net api
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
https://healthmate.withings.com web-application
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
https://account.withings.com web-application
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
https://app.withings.com web-application
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
https://developer.withings.com/dashboard/ web-application
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
https://scalews.withings.com api
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
Body Scan scale other
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
Body Comp scale other
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
Scanwatch Light other
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
Scanwatch 2 other
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
Scanwatch Nova other
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000
Scanwatch other
Medium
Low
€0
Medium
€200
High
€1,500
Critical
€3,000

Out of scopes

  • All domains, devices and mobile Apps not listed In-Scope.

Vulnerability types

Qualifying vulnerabilities

  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS)
  • Remote Code Execution (RCE)
  • Insecure Direct Object Reference (IDOR)
  • Horizontal and vertical privilege escalation
  • Authentication bypass & broken authentication
  • Business Logic Errors vulnerability with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Cross-Origin Resource Sharing (CORS) with real security impact
  • Open Redirect
  • Exposed secrets, credentials or sensitive information from an asset under our control
  • Insecure Authorization
  • Vulnerabilities related to Bluetooth LE, Wi-Fi implementation
  • Successful non Withings firmware update
  • Code execution on a device
  • Broken cryptographic implementation with working exploit
  • Insecure Communication

Non-qualifying vulnerabilities

  • Cross-Site Requests Forgery (CSRF) with real security impact (internal work in progress)
  • HTTP related issues
  • Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector
  • Tabnabbing
  • Missing cookie flags
  • Content/Text injections
  • Credentials leak not linked to a vulnerability
  • Mixed content warnings
  • Clickjacking/UI redressing
  • Denial of Service (DoS) attacks
  • Known CVEs without working PoC
  • Open ports without real security impact
  • Social engineering of staff or contractors
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting outdated browsers or platforms
  • Self-XSS or XSS that cannot be used to impact other users
  • Outdated libraries without a demonstrated security impact
  • Any hypothetical flaw or best practices without exploitable PoC
  • Expired certificate, best practices and other related issues for TLS/SSL certificates
  • Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
  • Reports with attack scenarios requiring MITM or physical access to victim&#39;s device
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
  • Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
  • Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
  • Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
  • CSV injection
  • HTTP Strict Transport Security Header (HSTS)
  • Subdomain takeover without a full working PoC
  • Blind SSRF without direct impact (e.g. DNS pingback)
  • Lack of rate-limiting, brute-forcing or captcha issues
  • User enumeration (email, alias, GUID, phone number)
  • Password requirements policies (length / complexity / reuse)
  • Ability to spam users (email / SMS / direct messages flooding)
  • Disclosed / misconfigured Google API key (including Google Maps)
  • Recently disclosed 0-day vulnerabilities (less than 10 days since patch release)
  • Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
  • Issues that require physical access to a victim's device or MITM
  • Lack of code obfuscation
  • Non encrypted data on the device
  • Lack of binary protection / anti-debugging controls
  • Crashing your own application or device
  • Outdated librairies without a demonstrated attack vector
  • Reports from automated vulnerability scanners
  • Hyperlink injection in emails we send

Hunting requirements

Account access

To begin, make sure you have a Withings account.
After that, you can create application in the developer dashboard.

If you have any question or issue, please send an email at : security@withings.com.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

Submit report
program thumbnail
 Withings
Submit report