Fiat Chrysler offering upto $1,500 to hackers who can exploit its software
Fiat Chrysler Automobiles (FCA) is joining a list of companies that will offer hackers with cash for finding vulnerabilities and security bugs in its vehicle software. The reward in the bug bounty program would be anything between $150 and $1,500, depending on the security flaw the white hat hackers and researchers discover in one of the automaker’s Jeeps, Ram trucks or other models.
“We have committed to formal recognition and compensation for discovery of reproducible and legitimate vulnerabilities, provided they are disclosed responsibly,” the company says. “Our goal with the Bug Bounty project is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in FCA’s vehicles and connected services.”
FCA will offer the bounty on the Bugcrowd platform. The platform will manage the payouts. Bugcrowd says it has about 30,000 security researchers as members.
“There are a lot of people that like to tinker with their vehicles or tinker with IT systems,” said Titus Melnyk, a senior security manager at Fiat Chrysler. “We want to encourage independent security researchers to reach out to us and share what they’ve found.”
The automaker asks that researchers provide complete details of any vulnerabilities found, including proof-of-concept code or details. Uconnect iOS, Uconnect Android, ecoDrive onAndroid and ecoDrive on the iPhone and iPad are all targets. In addition, the automaker is interested in security problems found within the driveconnect.eu andecodrive.driveconnect.eu web domains.
Researchers will be rewarded by the FCA for problems such as remote code execution (RCE) flaws and cross-site scripting bugs on authenticated pages, but will not issue any rewards for security issues including clickjacking, error messages, vulnerabilities relating to Adobe Air infrastructure, public files and directories or certificate strength problems.
In total, four bugs have been resolved and rewarded so far, but the details of each security issue remain private.
FCA says it is the first automaker with a full line-up of cars and trucks to offer such a bounty, even though electric car maker Tesla Motors Inc. has made a similar offer.
The automobile maker says that it may make the findings public to benefit others, depending upon the nature of the potential vulnerability identified and the scope of impacted users, if any.
FCA’s goal is simple, which is to find vulnerabilities in its vehicles before they might lead to a costly recall and taint the brand’s image. Last year, the company was compelled to recall 1.4 million vehicles and update its software after two security researchers hacked into a Jeep Cherokee’s entertainment system and took control of the vehicle remotely.
The high-profile demonstration was not only an embarrassing incident for Fiat Chrysler, but it also sent the auto industry scrambling to make sure its systems are secure.
“The safety and security of our consumers and their vehicles is our highest priority,” said Sandra Hosler, cybersecurity system responsible, FCA US LLC. “Building on a culture of safety, FCA US has developed a cross-functional team comprised of engineering, safety, regulatory affairs, and connected vehicle specialists who are dedicated to collaboration and engagement with a wide range of industry professionals to build security into our vehicles and products by design.”
FCA isn’t the only company that has hired hackers to make its cars safer. Last year, Uber hired the duo that remotely hacked into the Jeep Cherokee.
The FCA US bug bounty program (https://bugcrowd.com/fca) crowd sources software testing to address the cybersecurity challenges. The Bugcrowd program will help find potential product security vulnerabilities; implement fixes; enhance the safety and security and raise the spirit of transparency and co-operation within the cybersecurity community.