Fiat Chrysler Offers $1,500 to Find Vehicles’ Cyber Soft Spotsby
Program with Bugcrowd pays rewards to good-guy hackers
Company says it’s first major automaker with a ‘bug bounty’
Fiat Chrysler Automobiles NV is offering as much as $1,500 to good-guy hackers who find potential bugs and vulnerabilities in its vehicle software, in a program managed by a crowd-sourced cybersecurity company.
The automaker’s FCA US unit is working with Bugcrowd, which taps a network of 32,000 researchers worldwide. Those who identify possible security threats will get cash awards of $150 to $1,500, depending on the severity of the vulnerability and the scope of the those affected, Fiat Chrysler said in a statement Wednesday.
“Running software basically by its virtue or nature means that you’re going to introduce vulnerabilities at some point, and that’s a problem that every organization shares,” Casey Ellis, Bugcrowd’s founder and chief executive officer, said in an interview. “What it comes down to is, who is going to find those vulnerabilities first.”
Fiat Chrysler said it’s the first major automaker to offer a “bug bounty” reward program. The vulnerability of connected autos was driven home for car manufacturers last year when hackers took control of a moving Jeep sport utility vehicle. After that incident, Fiat Chrysler recalled 1.4 million cars and trucks equipped with radios that were vulnerable to hacking, an industry milestone.
This month, police in Houston said thieves used laptop computers to steal a 2010 Jeep Wrangler by hacking into the vehicle’s electronic ignition. The Wall Street Journal reported that police said the same method may have been used in the theft of four other late-model Wranglers and Cherokees in the Texas city. In those incidents, thieves employed the same software used to program electronic ignition keys at dealerships, rather than hacking a system vulnerability.
“There’s no hacking involved,” said Titus Melnyk, FCA US’s senior manager of security architecture. “This is like a locksmith that’s breaking the rules.”
The Bugcrowd program will focus on software bugs, but Fiat Chrysler doesn’t want to limit what issues are reported. All relevant material reported to Bugcrowd will be relayed to the automaker and, based on the researchers’ findings, the scope of the program may be adjusted.
The program is focused on Fiat Chrysler’s 3G connected vehicles, including the systems within them, external services and the applications that interact with them.
Bugcrowd’s clients also include Tesla Motors Inc.