Tesla Motors Starts Bug Bounty–But Not For Its Cars

Tesla Motors has started a bug bounty program that will pay researchers up to $1,000 for disclosing vulnerabilities.

Tesla Motors has started a bug bounty program that will pay researchers up to $1,000 for disclosing vulnerabilities. However, the rewards don’t apply to bugs found in the company’s vehicles.

The program’s scope is quite narrow, with only the main teslamotors.com domain and other domains owned by the company being legitimate targets. The company’s shopping site and other sites that are hosted by third parties are not included in the bug bounty, which is being administered by Bugcrowd.

More importantly, Tesla’s vehicles and their associated software and hardware are not part of the program, either. The company has a separate reporting process for vulnerabilities in its vehicles.

“Tesla values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process,” the company said.

Research on attacks on the software running inside vehicles have become much more common in the last couple of years, with notable advances in the field coming from Chris Valasek and Charlie Miller, who have developed several attacks on the systems in cars from various manufacturers. The car makers, in general, have not responded very well to this line of research. Tesla has taken a slightly different tack, engaging with researchers on some level.

The company plans to have one of its Model S cars on display at DEF CON in August.

The vulnerabilities that are in-scope for the Tesla Motors bug bounty include:

  • XSS: $200–$500
  • CSRF: $100–$500
  • SQL: $500–$1,000
  • Command injection: $1,000
  • Business logic issues: $100–$300
  • Horizontal privilege escalation: $500
  • Vertical privilege escalation: $500–$1,000
  • Forceful browsing/Insecure direct object references: $100–$500
  • Security misconfiguration: Up to $200
  • Sensitive data exposure: Up to $300

The minimum reward is $25 and the maximum is $1,000.

Image from Flickr photos of Isaac.

Suggested articles