Top auto industry companies have announced coordinated vulnerability disclosure programs. This use of ‘bug bounties’ to encourage global hackers to help identify security holes points to the future of critical infrastructure protection. Here’s what’s happening now with crowdsourcing vulnerability management, and why the entire cybersecurity industry is taking notice.
“Go ahead: Hack me if you can.”
That was the message this week from Chrysler, as they announced their new bug bounty program. If you report a security hole, you can get paid up to $1,500 in cash. Fiat Chrysler (FCA) has decided to partner with Bugcrowd on this new security program.
Chrysler’s new endeavor is to crowdsource the process of uncovering and fixing security vulnerabilities associated with automobiles. And the focus is not just on your car’s engine, gas pedal or brakes:
“Fiat Chrysler’s page on Bugcrowd’s site strangely lists the targets of the bug bounty program as its Uconnect infotainment system apps and Eco-Drive driving efficiency apps, not explicitly including the vehicles themselves. But Bugcrowd’s Ellis confirms that even attacks that directly target vehicles, rather than that software, are eligible for rewards.
Chrysler is joining Tesla and GM, who already use a rival bug-reporting service from HackerOne. However, each carmaker’s financial rewards are different. Here is an excerpt from January of this year:
(GM) the Detroit, Michigan-based firm has now joined rival Tesla in asking researchers to submit flaws and bugs discovered within the firm's Web domains. However, while Tesla offers up to $10,000 per flaw, GM's bug bounty program, hosted by HackerOne, asks researchers to submit GM.com bugs — but no more information is given in relation to credit or reward.
And other transportation companies, such as Uber, announced bug bounty programs earlier this year as well:
Uber announced that it’s officially launching a “bug bounty” program that will pay independent security researchers thousands of dollars in rewards for finding hackable bugs in its apps and websites. That makes the ride-sharing firm the latest tech giant to adopt the strategy of crowdsourcing the auditing of its code to shore it up against less benevolent hackers. Finding a bug that could deface Uber’s homepage or expose users’ email addresses earns $5,000, for instance, while one that could fully take over Uber accounts or run malicious code on an Uber production server can earn as much as $10,000.
What Is a Bug Bounty?
Bug bounties are simply rewards for finding and reporting security flaws with a software program that permit unintended actions to happen. A more formal set of definitions surrounding bug bounty programs (sometimes called hacker bounty programs) can be found here.
No, bounty hunting is not new. In fact, the first bounty hunters can be traced back to the 1600s in England. The Wild, Wild West in America made bounty hunters famous, with stories like these.
The first bug bounties in the cybersecurity industry were offered back in 1995 by Netscape, and Google, Facebook, Microsoft and other major technology companies started offering bug bounties years ago.
Back in May, a 10-year-old boy was awarded $10,000 by Instagram for finding a bug.
Last year, United Airlines rewarded helpful hackers with millions of free airline miles for finding security holes.
Why Is This a Critical Moment for Our Auto and Cybersecurity Industries?
You may wonder, if bug bounties are not new, why are these 2016 media announcements from the auto companies such a big deal to the cybersecurity industry as a whole?
I believe there are (at least) three important reasons that bug bounties for autos are vitally important right now.
1) The auto industry is top of the list for the Internet of Things (IoT) cybersecurity developments. This article last year describes how IoT drives the future of connected cars. I also believe that the corollary is true: The auto industry’s security is driving IoT security in many ways — especially with mobile. The average citizen cares quite a bit about where car developments are heading over the next decade. The recent negative headlines regarding autonomous vehicles are getting plenty of attention from all segments of society. Everyone seems to care about where this trend is heading — perhaps even more than in other IoT areas such as smart homes.
2) Further, public expectations for smart city transportation are evolving rapidly. Mobileye, providers of collision avoidance and autonomous driving technology, sponsored a survey on the transit issues that frustrate Americans and what they’d like to see fixed if/when their city became a “smart city.” The chart below shows what they found as a result of their YouGov survey. Note the importance of transportation.
3) Third, perhaps the top issue that concerns consumers regarding transportation innovation, is cybersecurity. With the 60 Minutes videos on hacking cars as well as other scary reports regarding data breach or hacking concerns, this topic is front and center moving forward over the next few years, in my view.
Closing Thoughts on Coming Bug Bounty Programs
Many experts question whether $1,500 is enough to persuade hackers who uncover vulnerabilities to report them. Nevertheless, I think this Chrysler program offers a good start and is likely to be replicated by the other automakers and auto suppliers with different levels of compensation. I expect Ford and foreign automakers to develop programs over the next year as well.
HackerOne, who partners with GM on their bug bounty program, recently ran the Hack the Pentagon program, which was a huge success. I see this overall trend continuing and growing in other sectors in the coming years.
One thing to keep in mind is that, beyond the financial gain for "white hat" hackers receiving a bug bounty, there are other professional benefits and “the thrill of the chase” that are gained. Is there a better way to show your value to prospective employers than to have a few of these bug bounty prizes on your resume?
Finally, I am excited to be moderating a panel on this topic at the Global Automotive Cybersecurity Summit on July 22, 2016, in Detroit. The session is titled: “Securing the Car Through Vulnerability Testing and Coordinated Disclosure Programs.” The participants include:
No doubt, these are the early days of bug bounty programs in critical industries. I believe that more governments, health-care organizations, utilities and other industries will be entering the bug bounty world in the months and years ahead. The growth in the IoT will only make these programs more vital.
My Prediction: Most, if not all, critical infrastructure sectors will be offering some type of bug bounty program within three years.