Security Experts Say Fiat Chrysler's 'Bug Bounty' Reward Isn't Big Enough

Steph Willems
by Steph Willems

Fiat Chrysler Automobiles will give you up to $1,500 to find weaknesses in its vehicles’ security, but cybersecurity experts want the automaker to pony up more dough.

After the company announced its industry-first “bug bounty” program on July 13, many professional hackers say FCA’s reward isn’t enough to attract real talent in the search for software breaches, Forbes reports.

Cash rewards offered by FCA range from $150 to $1,500, depending on the seriousness of the identified weakness. The company’s view is that security researchers who help protect its vehicle technology deserve real rewards for their time and effort.

Forbes notes that Facebook recently awarded a 10-year-old $10,000 for discovering a bug in its Instagram social networking service. That technology flaw simply allowed users to delete photos, so why should exposing a vehicle security weakness — a public safety issue — warrant less money, the publication asks.

The article gauges hacker reaction via their Twitter posts. One calls the reward “laughable,” while another says researchers need vehicles to work on, not cash. Mark Dowd of Azimuth Security says hackers submit technology faults for similar rewards “all the time,” but speculates that FCA might boost the bounty once they get comfortable offering the reward program.

FCA had a very high-profile run-in with hackers last year, when two Missouri researchers discovered how to remotely take control of a Jeep Grand Cherokee using a weakness in its Uconnect infotainment system. That discovery led to the recall of 1.4 million vehicles and a software patch.

[Image: FCA US]

Steph Willems
Steph Willems

More by Steph Willems

Comments
Join the conversation
7 of 11 comments
  • MrGreenMan MrGreenMan on Jul 15, 2016

    They should follow the old Knuth strategy and have the reward double whenever one is found, and they should have different orders of magnitude of cash for different orders of magnitude of errors - i.e., a little error gets you a little bit, a certifiable howler gets you mega bucks.

  • Tosh Tosh on Jul 15, 2016

    It weren't "real talent" what created the bugs, so why would they need to pay "real talent" to find 'em? I'm sure FCA knows the Nigerian "security researchers" market well enough.

  • GeneralMalaise GeneralMalaise on Jul 15, 2016

    Make hacking a serious crime at the state and federal level, with a 20 year sentence possible for each charge upon conviction, sentences can't run concurrently. That's my solution.

    • See 2 previous
    • Wolfinator Wolfinator on Jul 15, 2016

      "Hacking" should not be illegal. "Hacking" is what security researches do to FIND these issues. Making "hacking" illegal is like making picking locks illegal. Now locksmithing is a crime! Congrats, you just screwed everyone! What you want to be illegal are negative *effects* of hacking. Whether it be theft of personal data, theft of services or goods, bank fraud, etc etc etc. Guess what? Those are already illegal! PS: more garbage legislation in the US is hardly going to have an effect. Most 'hackers' live overseas, and effectively ignore US law.

  • Art Vandelay Art Vandelay on Jul 15, 2016

    I am in the Cyber Security field and this was my first thought when I read the last post. Day zero (vulnerabilities baked into the release) exploits trade for waaaaay more than 1500 bucks in the black hat community. Try hundreds of thousands in some cases. What do you think the FBI paid to unlock Sayed Farook's iPhone and that was something that had been around for a while.

Next