Tesla offers bug bounty to ethical hackers from $25 to $1,000 but not for finding vulnerabilities in its cars
Like United Airlines bug bounty program, Tesla Motors too has joined the bug bounty offering bandwagon by inviting security researchers, ethical and white hat hacker to find vulnerabilities in its website. Similar to United Airlines, the bug bounty is being offered only for finding vulnerabilities in its website and not in its cars.
Tesla Motors has started a bug bounty program that will pay researchers up to $1,000 for disclosing vulnerabilities in its website. As said above, rewards don’t apply to bugs found in the company’s vehicles.
The Tesla bug bounty hunters have to find vulnerabilities in the main teslamotors.com domain and other domains owned by the company. The Tesla car sales website and other sites that are hosted by third parties are not included in the bug bounty, which is being administered by Bugcrowd.
The bug bounty will not enthuse hard core hackers because Tesla has left out its cars and their associated software and hardware out of the program. Readers may not that Tesla has a separate reporting process for vulnerabilities in its vehicles.
“Tesla values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process,” the company said in a statement announcing the bug bounty program.
While website vulnerabilities are passe, research on attacks and vulnerabilities in the software running inside smart cars have become much more common in the last couple of years. The car hacking is a serious problem which can cause grievous injuries in case cars are taken over by hackers and made to do malicious things like involve them in suicide bombings.
Chris Valasek and Charlie Miller are considered pioneers in this field and have developed several attacks on the systems in cars from various manufacturers. However, big car manufacturers havent taken any interest in finding the vulnerabilities in their cars raising serious questions about the cars vulnerabilities. Tesla has however taken a different route on finding vulnerabilities in its cars and has a dedicated team of researchers for the same.
The vulnerabilities listed by Tesla Motors bug bounty include:
- XSS: $200–$500
- CSRF: $100–$500
- SQL: $500–$1,000
- Command injection: $1,000
- Business logic issues: $100–$300
- Horizontal privilege escalation: $500
- Vertical privilege escalation: $500–$1,000
- Forceful browsing/Insecure direct object references: $100–$500
- Security misconfiguration: Up to $200
- Sensitive data exposure: Up to $300
The minimum reward is $25 and the maximum is $1,000.