Automaker Offers Bug Bounty

Fiat Chrysler Automobiles has announced that it will begin paying a bounty to anyone who can detect flaws in the code used its vehicles. The bounty will fall in the range of $150 to $1,500.

The bounty program will be managed through the crowd-sourced cyber security firm Bug Crowd. The program is specifically targeted at white-hat hackers, or hackers whose goal is to improve security and privacy, but anyone is allowed to search for and report bugs.

Fiat Chrysler Automobiles produces major brands like Jeep, Ram, Dodge, Fiat, and Chrysler. Like most automakers, the models produced today include a connected component. There has been growing concern in both the auto manufacturing and hacking communities that malicious parties could take advantage of the connectivity in cars to exploit the vehicle in a variety of ways.

The issue is particularly relevant to Fiat Chrysler after a widely publicized 2015 report in Wired showed how it was possibly to remotely hack into the computer system of a Jeep Cherokee and seize full control from the driver. That lead to a recall of 1.4 million vehicles and stoked industry-wide fears about the safety risks created by connectivity.

Bug Crowd will be responsible for collecting and analyzing the initial round of bug reports. Those that are deemed actionable will be passed onto engineers at Fiat Chrysler Automobiles. This unique approach leverages the collective value of crowds to deepen security testing protocols and expedite the overall testing process. The bounty is expected to provide a powerful incentive for participation.

Other automakers are taking up the issue as well. Tesla is currently running a similar program that promises to pay a bounty of up to $10,000. General Motors has set up a secure portal though a security start up called HackerOne that invites experts to report bugs. GM does not currently offering a bounty, but that could change. United Airlines and Uber have also put initiatives in place to root out bugs.

Thus far the threat of hackers targeting connected cars has been mostly theoretical. But a rapidly increasing number of models now feature some sort of connectivity, and the depth of that connectivity is increasing as well. It doesn’t take a leap of imagination to understand the appeal for hackers or the threat posed to drivers.

Bounty programs suggest that automakers are taking the threat seriously. However, they also suggest that automakers lack the internal resources necessary to make in-car cyber security a priority.