General Motors has started a bug bounty program and has invited security researchers to report information on security vulnerabilities affecting the company’s products and services.
The program, set up via HackerOne’s bug bounty platform, currently offers no concrete rewards except a thanks from the company, so it’s more of a public coordinated disclosure program that an actual bug bounty program.
The company has agreed not to sue researchers that participate in the program if they do not harm GM, its customers or other users; if they don’t compromise the privacy or safety of their customers and the operation of their services; if they don’t violate any law (including disrupting or compromising any data or vehicle that is not their own), and if they agree not to publicly disclose vulnerability details before the flaw is fixed.
Since the latter could take a while – years even! – the company also wants the researchers to “not publicly disclose vulnerability details if there is no completion date or completion cannot be ascertained.”
This condition might be out of order for other types of vulnerability disclosure programs, but in this case it’s fitting, as GM vehicles contain many components provided by third-party suppliers, who might not have the means or resources to react and fix the problem quickly.
“For a company like GM to step forward, they’re telling every supplier that they also need a vulnerability coordination program,” HackerOne founder and CTO Alex Rice told Ars Technica.
Also, some flaws might be impossible to patch and a change of the vulnerable component might be the only way to plug the security hole. That means that people would have to come in and get their vehicles fixed by experts, and you can’t bet anything that many will simply consider it too much trouble.
Car hacking has been a hot topic in the last few years, and a number of researchers have set aside fears of being sued and probed connected cars for vulnerabilities. In some cases, they were prevented from revealing the results of their research by car makers until a fix could be implemented.
A report released earlier last year by US Senator Edward Markey has confirmed that automobile manufacturers have yet to effectively deal with the threat of hackers penetrating vehicle systems, and the driver and vehicle information they collect and share is not adequately protected.
BT launched a new security service developed to test the exposure of connected vehicles to cyber-attacks and help all market players develop security solutions, and organizations like I Am The Cavalry continues to actively push the automotive industry to commit to cyber safety.
Finally, the US Librarian of Congress decided last October to make it legal for security researchers and vehicle owners to poke into cars’ (and other motorized land vehicles ‘) innards without infringing copyright. This rule goes into effect in October 2016.