Security Experts Say Fiat Chrysler's 'Bug Bounty' Reward Isn't Big Enough
Fiat Chrysler Automobiles will give you up to $1,500 to find weaknesses in its vehicles’ security, but cybersecurity experts want the automaker to pony up more dough.
After the company announced its industry-first “bug bounty” program on July 13, many professional hackers say FCA’s reward isn’t enough to attract real talent in the search for software breaches, Forbes reports.
Cash rewards offered by FCA range from $150 to $1,500, depending on the seriousness of the identified weakness. The company’s view is that security researchers who help protect its vehicle technology deserve real rewards for their time and effort.
Forbes notes that Facebook recently awarded a 10-year-old $10,000 for discovering a bug in its Instagram social networking service. That technology flaw simply allowed users to delete photos, so why should exposing a vehicle security weakness — a public safety issue — warrant less money, the publication asks.
The article gauges hacker reaction via their Twitter posts. One calls the reward “laughable,” while another says researchers need vehicles to work on, not cash. Mark Dowd of Azimuth Security says hackers submit technology faults for similar rewards “all the time,” but speculates that FCA might boost the bounty once they get comfortable offering the reward program.
FCA had a very high-profile run-in with hackers last year, when two Missouri researchers discovered how to remotely take control of a Jeep Grand Cherokee using a weakness in its Uconnect infotainment system. That discovery led to the recall of 1.4 million vehicles and a software patch.
[Image: FCA US]
Comments
Join the conversation
They should follow the old Knuth strategy and have the reward double whenever one is found, and they should have different orders of magnitude of cash for different orders of magnitude of errors - i.e., a little error gets you a little bit, a certifiable howler gets you mega bucks.
It weren't "real talent" what created the bugs, so why would they need to pay "real talent" to find 'em? I'm sure FCA knows the Nigerian "security researchers" market well enough.
Make hacking a serious crime at the state and federal level, with a 20 year sentence possible for each charge upon conviction, sentences can't run concurrently. That's my solution.
I am in the Cyber Security field and this was my first thought when I read the last post. Day zero (vulnerabilities baked into the release) exploits trade for waaaaay more than 1500 bucks in the black hat community. Try hundreds of thousands in some cases. What do you think the FBI paid to unlock Sayed Farook's iPhone and that was something that had been around for a while.