Bug bounties: they’re not just for tech companies anymore!
Automobile manufacturer Fiat Chrysler will pay hackers and researchers up to $1,500 per flaw found in the following systems: vehicle head units, TPMS sensors, remote keyless entry, and “any other system that is present in a hardware product that you own or are authorized to test against,” according to a new page on bugcrowd.com.
The automaker would also like hackers to poke at its UConnect public-facing Web connection, *.driveuconnect.com and “all regional derivatives,” UConnect Access Mobile Application for iOS and Android, and Moparownerconnect.com.
As with other corporate bug bounty, Fiat Chrysler is also putting some restrictions on what legitimate hackers can hit. Specifically, it would like everyone to stay away from “websites not affiliated with connected vehicle platforms,” including “brand, blog, and social media sites.” It would also prefer if nobody launched a DDoS attack or cross-site request forgery, or attempted to click-jack any of Fiat Chrysler’s online properties. Pretty please.
Under the terms of the program, hackers will need to provide enough details of the vulnerability for Fiat Chrysler’s engineers to replicate the issue; they should also make a “good faith effort” to avoid privacy violations and destruction of data.
Bug bounties have become increasingly popular in recent years, and it’s easy to see why: crowd-sourcing a bug-hunt can save a company time and money, at least in theory. Rather than expect a handful of in-house security pros to discover the vulnerabilities in a particular system, executives can turn to thousands of people online to pick through code.
But there are a couple of downsides to a bug bounty. For starters, companies must limit the number of systems available for public testing; nobody is going to allow total strangers to pick through mission-critical systems for bugs. Second, while bug-hunts are great for discovering issues in released software, they do nothing to prevent those bugs from getting into the system in the first place.
As a result, most firms will continue to rely on a combination of internal security pros, automated code checking, and bug hunts to keep their systems secure. Within many IT security departments, the important thing is prevention, not post-launch bug-squashing.
While Fiat Chrysler isn’t the first car company to host a bug bounty—that honor goes to Tesla, which asked hackers to poke through its code—its announcement does highlight the increasing importance of software to the auto industry. As cars’ onboard systems become more sophisticated, auto-makers’ need for secure software will doubtlessly rise.