Blog

Fiat Chrysler Automobiles announced Wednesday it will become the first major automaker to put a bounty on bugs.

No, not the creepy crawling ones, but the dangerous security ones.  The ones that hackers could use, via current vehicle software flaws, to take control of an automobile or SUV with the intent to harm its owners through theft, monetary, or safety issues.

Dubbed the ‘public bug bounty program’, FCA said it will offer rewards up to $1,500 per bug – depending on impact and severity – to ‘ethical’ hackers who report on data security weaknesses in FCA vehicles.

Bugcrowd Inc., a crowdsourced community of cybersecurity researchers based in San Franscisco, will manage the program for FCA.

All Jeep-based vehicles are included in this program, the automaker said.

“There are a lot of people that like to tinker with their vehicles or tinker with IT systems,” said Titus Melnyk, FCA senior manager of security architecture.  “We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers.”

“By going with a financial reward, I think it’s going to encourage people to look for these vulnerabilities,”  Melnyk added, saying the automaker may up the rewards depending on how the launch of the program grows and what’s found.

Last year, a 2014 Jeep Cherokee was remotely hacked by a team of researchers who were able to control many of the vehicle’s functions.  More recently, a thief was shown starting a Jeep Wrangler using only a laptop. In the first case, FCA issued a software update for many of its vehicles equipped with the 8.4-inch Uconnect system.

Bugcrowd manages all reward payouts, which are scaled based upon the severity of the product security vulnerability identified, and the scope of impacted users. A reported vulnerability could earn a bug bounty of $150 to $1,500.

“It’s critical that the response happens quickly,”  Melnyk said. “If we get any information from this program that’s valuable for us in protecting the vehicle, then it’s paid for itself, in my opinion.”

Casey Ellis, Bugcrowd's chief executive, said during a media briefing that his company has 32,000 researchers who work through its service.  All are rated based on the quality of their work, he said.

“Automotive cybersafety is real, critical, and here to stay,” Ellis said. “Car manufacturers have the opportunity to engage the community of hackers that is already at the table and ready to help, and FCA US is the first full-line automaker to optimize that relationship through its paid bounty program.”

FCA said it “may make research findings public,” depending on the nature and potential vulnerability of the findings, and that the bug bounty program is one of the best ways to address cybersecurity challenges created by the convergence of technology and  the automotive industry.

“Exposing or publicizing vulnerabilities for the singular purpose of grabbing headlines or fame does little to protect the consumer,” Melnyk said. “Rather, we want to reward security researchers for the time and effort, which ultimately benefits us all.”

FCA & Bugcrowd soundbites: https://youtu.be/LEyYDwXJDMc

 

About Quadratec:

Since 1990, Quadratec's mission is always to deliver Expert Advice and Unbeatable Prices to enthusiasts of the legendary Jeep® CJ & Wrangler, Cherokee and Grand Cherokee.  Quadratec's courteous factory-trained sales & customer service staff has the knowledge to make sure you, and your vehicle, get exactly what you need.  Contact us at 800-745-2348 or www.quadratec.com.