By on July 15, 2016

2016 Ram 1500 Laramie Crew Cab 4x4 EcoDiesel

Fiat Chrysler Automobiles will give you up to $1,500 to find weaknesses in its vehicles’ security, but cybersecurity experts want the automaker to pony up more dough.

After the company announced its industry-first “bug bounty” program on July 13, many professional hackers say FCA’s reward isn’t enough to attract real talent in the search for software breaches, Forbes reports.

Cash rewards offered by FCA range from $150 to $1,500, depending on the seriousness of the identified weakness. The company’s view is that security researchers who help protect its vehicle technology deserve real rewards for their time and effort.

Forbes notes that Facebook recently awarded a 10-year-old $10,000 for discovering a bug in its Instagram social networking service. That technology flaw simply allowed users to delete photos, so why should exposing a vehicle security weakness — a public safety issue — warrant less money, the publication asks.

The article gauges hacker reaction via their Twitter posts. One calls the reward “laughable,” while another says researchers need vehicles to work on, not cash. Mark Dowd of Azimuth Security says hackers submit technology faults for similar rewards “all the time,” but speculates that FCA might boost the bounty once they get comfortable offering the reward program.

FCA had a very high-profile run-in with hackers last year, when two Missouri researchers discovered how to remotely take control of a Jeep Grand Cherokee using a weakness in its Uconnect infotainment system. That discovery led to the recall of 1.4 million vehicles and a software patch.

[Image: FCA US]

Get the latest TTAC e-Newsletter!

11 Comments on “Security Experts Say Fiat Chrysler’s ‘Bug Bounty’ Reward isn’t Big Enough...”


  • avatar

    Lend me a TRACKHAWK and I’ll find the bugs for ya…

  • avatar
    jrhmobile

    The problem with offering a “bug bounty” is that you have to offer enough to make hackers want to share it with you.

    If you don’t, the danger is that hackers will find someone else who will.

  • avatar
    Viceroy_Fizzlebottom

    Talk about being cheap. Come on, FCA. I’ve seen opensource projects with much higher bounties than that!

  • avatar
    maserchist

    FCA will be lucky if computer whizzes DO identify problems and then see what the market actually WILL pay, nefarious & regular nice guys included. Highest bidder wins the keys…

  • avatar
    MrGreenMan

    They should follow the old Knuth strategy and have the reward double whenever one is found, and they should have different orders of magnitude of cash for different orders of magnitude of errors – i.e., a little error gets you a little bit, a certifiable howler gets you mega bucks.

  • avatar
    Tosh

    It weren’t “real talent” what created the bugs, so why would they need to pay “real talent” to find ’em? I’m sure FCA knows the Nigerian “security researchers” market well enough.

  • avatar
    GeneralMalaise

    Make hacking a serious crime at the state and federal level, with a 20 year sentence possible for each charge upon conviction, sentences can’t run concurrently. That’s my solution.

    • 0 avatar
      brenschluss

      What’s “hacking”?

    • 0 avatar
      Big Al From 'Murica

      Yeah, we have pretty stiff crimes for hacking which is why most hackers operate from other countries.

    • 0 avatar
      wolfinator

      “Hacking” should not be illegal. “Hacking” is what security researches do to FIND these issues.

      Making “hacking” illegal is like making picking locks illegal. Now locksmithing is a crime! Congrats, you just screwed everyone!

      What you want to be illegal are negative *effects* of hacking. Whether it be theft of personal data, theft of services or goods, bank fraud, etc etc etc.

      Guess what? Those are already illegal!

      PS: more garbage legislation in the US is hardly going to have an effect. Most ‘hackers’ live overseas, and effectively ignore US law.

  • avatar
    Big Al From 'Murica

    I am in the Cyber Security field and this was my first thought when I read the last post. Day zero (vulnerabilities baked into the release) exploits trade for waaaaay more than 1500 bucks in the black hat community. Try hundreds of thousands in some cases. What do you think the FBI paid to unlock Sayed Farook’s iPhone and that was something that had been around for a while.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • Lou_BC: I’m in a centre of rural conservative North Central BC. The local Ford dealer has zero problem selling...
  • Lou_BC: Gotta hug something when all the trees are gone ;)
  • Lou_BC: I read about a local company starting to install systems that allow trucks to run on a blend of diesel and...
  • Lou_BC: @freedMike – Yeah. Myopic. It’s a global problem. Big oil producers like OPEC’kers and...
  • Lou_BC: @deanst – right now everyone is begging oil producers for more fuel. It isn’t just a USA issue.

New Car Research

Get a Free Dealer Quote

Who We Are

  • Adam Tonge
  • Bozi Tatarevic
  • Corey Lewis
  • Mark Baruth
  • Ronnie Schreiber