If you can’t beat them, join them. Or at least get them to join you.
Just a year after software engineers Charlie Miller and Chris Valasek hacked into the computer system of a Jeep Cherokee and took control of the vehicle, Fiat Chrysler Automobiles (FCA) is taking a bold step and encouraging such actions.
Well, maybe not EXACTLY that. But close.
Recently enlisting the help of Bugcrowd, a company that manages organized hacking (or research, as it’s referred to by CEO and founder Casey Ellis) and is located in the San Francisco area, FCA is challenging ethical hackers to discover vulnerabilities in the manufacturer’s software.
The “bug bounty program,” as it’s called, could nab a successful participant up to $1,500 per flaw.
“Successful,” you say? What exactly does successful mean regarding the program? First, it must be a previously unknown defect. So claiming the same issue discovered by Miller and Valasek last year doesn’t count. Also, the amount of the payout will vary (from $150 to $1,500) and be determined by both the severity of the discovery and the number of vehicles affected.
Why would a major automobile manufacturer participate in a program such as this? It’s about making a better product.
“From the first minute we started talking to FIAT Chrysler, we realized they were serious about doing this and doing this well,” said Ellis. “This is a company that understands that a connected car does involve risk.”
By engaging outside researchers to “break” their code and responsibly disclose it, FCA can ultimately produce better, safer vehicles for customers. Find the vulnerability, eliminate it and learn from it. Then write better, more secure code.
“We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers,” said Titus Melnyk, Senior Manager – Security Architecture FCA US LLC. “And at the end of the day, [customers] are going to find that their [vehicles] are more stable, more secure and act in the way they are expected to act.”
FCA is proving they are a company that is serious about safety, including cyber security. And while hackers and FCA can both benefit from the bug bounty program, customers are the real winners.
If you’d like to get involved in the program, visit Bugcrowd.com/fca and review the FCA bounty brief for the full description of the guidelines.