In a sign of just how quickly the automotive industry and connectivity technology are converging, Fiat Chrysler (FCA US LLC) launched a bug bounty program that rewards researchers—“good-guy hackers”—for discovering and reporting software vulnerability in its cars and trucks. Launched on the Bugcrowd platform, the program will give hackers bounties between $150 and $1,500 for vulnerabilities that they find in the car company’s software. The amount FCA will award will depend on the severity of the discovered vulnerability.
Last summer, two ethical hackers demonstrated the ability to remotely gain access to a moving Jeep Cherokee using a laptop to exploit loopholes in the vehicle’s audio system. The men were able to change the moving vehicle’s speed and braking capability, and also manipulate the radio and windshield wipers, before disabling the SUV. The incident led to the recall of 1.4 million vehicles made by FCA including Jeep Cherokees to patch software holes, prompted other automotive companies to more closely scrutinize cyber security vulnerabilities in their cars, and—most likely—also led to FCA’s current bug bounty.
“Our goal with the Bug Bounty project is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in FCA’s vehicles and connected services,” Fiat Chrysler says in a statement on the Bugcrowd page for its program, adding that it will be investigating all reports that hackers send in and would apply the necessary fixes as fast as possible. There are an estimated 30,000 cyber security researchers on Bugcrowd.
“There are a lot of people who like to tinker with their vehicles or tinker with IT systems,” says Titus Melnyk, senior manager, security architecture, FCA US, in an article on Government Security News. “We want to encourage independent security researchers to reach out to us and share what they’ve found so we can fix potential vulnerabilities before they’re an issue for our consumers.”
The bug bounty program is focused on the connected vehicles of FCA US, along with the systems that operate within the vehicles and the external services and apps that interact with these systems. The company says the program gives it the ability to: identify potential product security vulnerabilities; implement fixes and/or mitigating controls after sufficient testing has occurred; improve the safety and security of FCA US vehicles and connected services; and foster a spirit of transparency and cooperation within the cyber security community. The company may make research findings public, based on the nature of the potential vulnerability identified and the scope of impacted users, if any, it says.
FCA says in a statement that it’s the first automaker with a full lineup of cars and trucks to offer such a bounty. However, electric car maker Tesla Motors did launch a bug bounty program last summer. The company initially offered bounties ranging from $25 to $1,000, depending on the vulnerability. However, Tesla later increased the maximum amount of money it’s prepared to pay out to researchers who find serious security vulnerabilities. Researchers are able to report SQL injection, command injection, and vertical privilege escalation vulnerabilities using the Bugcrowd platform.
While new for the auto industry, paying a bounty to researchers for discovering cyber vulnerabilities is nothing new for other industries. Google, Facebook and numbers of other companies have already been following the practice, and Twitter announced last May that it paid out a total of $322,420 in bug bounties over two years. Even the U.S. Department of Defense announced a “Hack the Pentagon” initiative last March, inviting hackers to test the security of its Web pages and networks. Although participants can win money and recognition for their work, the DoD says the program is only for “vetted hackers,” which means anyone hoping to find vulnerabilities in DoD systems will first need to pass a background security check.
What are your thoughts on bug bounty programs? Is making use of friendly researchers a viable means of discovering cyber vulnerabilities in connected products?