Fiat Chrysler joins Tesla in offering bounties to hackers
DETROIT -- Fiat Chrysler Automobiles will become the first mass-market automaker to join Tesla in offering bounties to hackers who identify security vulnerabilities in vehicle software.
FCA said it will pay bounties of between $150 and $1,500 to reward hackers who notify the company of security vulnerabilities through a program on bugcrowd.com.
In July 2015, professional hackers Charlie Miller and Chris Valasek rocked the automotive industry when they exploited a cellular vulnerability to remotely control some systems in a 2014 Jeep Cherokee being driven by a journalist.
Days after the incident became public, FCA released a software patch that plugged the security hole the hackers had used to access the Cherokee’s systems. The patch also plugged vulnerabilities in other vehicles equipped with FCA’s 8.4-inch Uconnect infotainment system.
Titus Melnyk, FCA’s senior manager for security architecture, said FCA’s bug bounty program will focus primarily on systems that interact with FCA’s vehicles, such as Uconnect as well as its owner websites. He said that while FCA’s security efforts have been ongoing, this organized effort is intended to encourage talented hackers to help FCA find security vulnerabilities.
“There have been a number of things where people have reached out to us through customer care and other contact methods where they highlighted things that were of interest,” Melnyk explained. He said the bugcrowd program “is just a nice, official way to make it easier for people to contact us and know what we’re really interested in.”
Tesla stands out among automakers for its program that rewards hackers for exposing security vulnerabilities. The company pays bounties ranging from $100 to $10,000 to hackers who alert Tesla when they identify weaknesses in its software. According to bugcrowd, Tesla has paid out at least 132 bounties to hackers.
“I’m really excited that, by offering a bounty for this, it will drive more people into our program,” Melnyk said. “It gives people an incentive to take good notes and make sure that they can duplicate” vulnerabilities they discover.
In addition to monetary rewards, the bugcrowd participants can earn exclusive private invitations from companies to help with their cybersecurity operations. Several Fortune 500 companies, including AT&T and United Airlines, have bug bounty programs operating through the website.