Here’s a sign that the future has well and truly arrived: An automobile company is offering bounties for any bugs or vulnerabilities found in its software code.
Actually, given that the automobile company in question is Tesla, the announcement of a bug-squishing program is probably less surprising; after all, Tesla electric cars are famous for their reliance on software. Rather than have customers drive their cars to the nearest garage for tuneups or part replacements, Tesla likes to use over-the-air software updates to tweak everything from battery charging to the dashboard interface.
Such reliance on software, however, makes Tesla vehicles theoretically more vulnerable than old-school gas-guzzlers to digital malfeasance, and so the company is offering rewards ranging from $25 to $1,000 to anyone who calls out vulnerabilities in its code. Ferreting out a business logic issue, for example, could net you anywhere from $100 to $300; discovering a vertical privilege escalation is worth up to $1,000, as are command injections. Vehicle or product-related vulnerabilities will apparently be paid out “on a case-by-case basis.”
Tesla also wants to create something of a safe space for anyone willing to responsibly test its vulnerabilities. “We will investigate legitimate reports and make every effort to quickly correct any vulnerability,” reads the company’s posting on Bugcrowd. “To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following Responsible Disclosure Guidelines.” Those guidelines include not modifying the company’s data, making a good-faith effort to avoid violating anyone’s privacy, and so on.
Third-party websites hosted by “non-Tesla entities” are considered outside the bug-hunting scope; Tesla wants any responsible hackers aiming specifically at the company’s public-facing Web applications. There’s also a long list of potential discoveries excluded from the bounty, such as logout cross-site request forgeries, missing HTTP security headers, denial-of-service attacks, and SSL issues.
So for those who enjoy hunting bugs, and who want to earn a bit of cash on the side, why not break from the conventional, and poke around a car company’s code?