Fiat Chrysler becomes first auto maker to offer bug bounty
Italian-owned auto giant Fiat Chrysler became the first major car manufacturer Wednesday to offer payments to hackers who find software flaws or other security vulnerabilities in their products, the company said.
The bug bounty program will be run by Bugcrowd, a platform that allows security researchers to crowdsource their search for vulnerabilities in third-party products, Fiat Chrysler announced in a release. It will pay researchers between $150 and $1,500, depending on the severity of the bugs.
The move follows a recall of 1.4 million vehicles by the firm last year, after a Jeep Cherokee was famously hacked by Charlie Miller and Chris Valasek.
Although Fiat is the first automaker to offer a bounty, GM hired HackerOne in January to provide a responsible disclosure channel for security researchers, though without any bounty involved. Tesla has run a bounty program through Bugcrowd for more than a year, offering up to $10,000 for the worst security flaws.
“There are a lot of people that like to tinker with their vehicles or tinker with IT systems,” said Titus Melnyk, senior manager of security architecture for the automaker. “We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers.”
The bounty program page on Bugcrowd’s website enumerates a long lists of exclusions — products or services not covered by the program. They include DDoS attacks, ‘vulnerabilities relating to SSO and federation technologies,’ and flaws in the login or password recovery process.
“The consumer is starting to understand that these days the car is basically a two-ton computer,’ said Casey Ellis, CEO and founder of Bugcrowd. He added that Fiat Chrysler customers ‘are the real winners of this bounty program; they’re receiving an even safer and more secure product both now and into the future.”