Chrysler Launches Detroit’s First ‘Bug Bounty’ for Hackers

From Wired:

When a pair of hackers exposed security flaws a year ago in a Jeep Cherokee, Fiat Chrysler could have responded by trying to keep other hackers away from its products with intimidation or lawsuits. The demo led to a 1.4-million-vehicle recall, after all. But instead, the company is trying a smarter approach: offering to pay for hacks.

On Wednesday the Italian-owned Detroit automaker announced that it will pay “bounties” of as much as $1,500 to security researchers who alert the company to hackable flaws in its software. That makes the company the first major carmaker to officially shell out dollars in exchange for security vulnerability information, a sign of Detroit’s growing awareness of the looming threat of digital attacks on vehicles. “It’s a very big move,” says Casey Ellis, the CEO of Bugcrowd, the firm running Fiat Chrysler’s bug bounty program. “This is basically creating normalcy around the dialogue between hackers and vehicle manufacturers for the purposes of making vehicles safer.”

Hackers Remotely Kill a Jeep on the Highway—With Me in It

Though it may be the first of Detroit’s “Big Three” companies to launch a bug bounty program, Fiat Chrysler isn’t actually the first carmaker to offer those hacker rewards. Tesla already runs a bounty program through Bugcrowd and has paid as much as $10,000 to hackers who reported flaws, like two researchers who presented vulnerabilities in a Model S at Defcon last year. GM launched its own “vulnerability disclosure program” in January, but offered hackers no payments, only an official channel to report bugs without facing a lawsuit.

Fiat Chrysler’s page on Bugcrowd’s site strangely lists the targets of the bug bounty program as its Uconnect infotainment system apps and Eco-Drive driving efficiency apps, not explicitly including the vehicles themselves. …

Continue Reading