The Auburn Hills-based automaker said Wednesday it is offering up to $1,500 bounties to white-hat hackers who are able to permeate firewalls and identify potential security issues with their vehicles and software systems.
Advertisement
The FCA US bug bounty program is being run by Bugcrowd, an enterprise security testing specialist that has already been used by Tesla among others.
“Bugcrowd will do the initial triage”, Titus Melnyk, FCA US’s senior security manager, said in a YouTube video announcing the program. People who find legitimate problems and report them to Bug Crowd will be rewarded with $150 to $1,500 and, potentially, a spot in the bug forum’s “Hall of Fame”.
“Automotive cybersafety is real, critical, and here to stay”.
Previous year hackers demonstrated how they could use a software glitch to take control of a 2014 Jeep Grand Cherokee.
According to Fiat Chrysler, it is the first automobile company to launch a proper bug bounty financial reward program.
To find and fix system glitches in its cars and connected services, Fiat Chrysler has proposed a very interesting program, through which hackers have been invited to show their skills. Such programs have proven to be a lucrative venture for hackers and security researchers.
While they may or may not make the findings public, FCA has contacted customers when faced with vulnerabilities in their vehicle systems and fixed those issues prior to needing a recall.
Auto makers are packing more electronics and related software in vehicles to offer buyers better safety gear, communications capability and seamless connectivity to information available outside the car’s cabin. They include DDoS attacks, “vulnerabilities relating to SSO and federation technologies”, and flaws in the login or password recovery process. His firm also works with Tesla Motors and other automakers he said he can not disclose.
FCA called Bugcrowd a “public channel for responsible disclosure of potential vulnerabilities”.
Advertisement
As far as Fiat Chrysler’s bug bounty hit list goes, the public-facing web apps associated with the onboard system that got hacked a year ago, UConnect, are fair game.
