General Motors’ new vulnerability disclosure program puts it alongside Tesla as the only major automakers with a mechanism for security researchers to report flaws. Unlike Tesla’s program, however, GM’s does not offer a monetary reward.
GM launched its program last week via the HackerOne platform, and while there’s no mention of a payout, the company does promise not to sue bug hunters who find security issues in its products and services and report them according to the program’s guidelines.
GM insists that researchers’ reports include enough information to reproduce the vulnerability, and that the work not cause harm to GM, its customers’ privacy and safety, and is not in violation of the law. Submitters are also not allowed to publicly disclose details until the flaw is remediated by the automaker. GM also singled out researchers from Cuba, Iran, North Korea, Sudan, Syria and Crimea as ineligible to participate, as well as anyone on the Treasury Department’s Specially Designated Nationals List.
Tesla launched its bug bounty last June, offering researchers up to $1,000 for vulnerabilities in its software. The bounty, however, is limited to the company’s web domains, and does not apply to the company’s vehicles.
While GM did not specify the scope of its disclosure program, it is a significant step forward for an industry that is increasingly being targeted by researchers looking into connected vehicles.
The last two years at the annual Black Hat conference, Uber researchers Charlie Miller and Chris Valasek accelerated the industry’s interest in car hacking with groundbreaking presentations on their examination of the latest Jeep Cherokee. The researchers were able to remotely abuse the UConnect system in the vehicles and take over critical systems, including steering, braking and the transmission.
Their research was the impetus for Fiat Chrysler to recall more than 1.4 million vehicles, days after it issued a software patch.
In October, the Library of Congress granted research into vehicular computer systems an exemption within in the Digital Copyright Millennium Act, allowing for good-faith testing of such systems and the identification of vulnerabilities.
Valasek praised GM chief information security officer Jeff Massimilla over Twitter for providing researchers with a means of submitting bugs, something that most brick-and-mortar companies still lack.
Not as excited for the 'bug bounty' portion of GM's program, but just the fact that they can handle a disclosure and get a fix out is great
— Chris Valasek (@nudehaberdasher) January 8, 2016
United Airlines launched a bug bounty program last spring, offering researchers one million frequent flier miles for a remote code execution bug, and between 50,000 and 250,000 miles for lesser-severity bugs; in July, researcher Jordan Wiens received the first million-mile payout.
