Fiat Chrysler Launches Bug Bounty Program, Awards Researchers Up to $1.5K

Fiat Chrysler Automobiles (FCA) announced on Wednesday the launch of its own bug bounty program, rewarding researchers for disclosing security vulnerabilities in its connected cars. As the seventh-largest automaker in the world, Fiat Chrysler is among the first major vehicle manufacturers to offer “bounty” payouts, ranging from $150 to $1,500 per bug. The new program will operate through Bugcrowd – a crowdsourcing bug bounty platform with a community of over 32,000 registered security researchers. “Fiat Chrysler Automobiles values engaging third party researchers to improve our products, making them safer and more reliable,” read the company’s Bugcrowd page.

“We have committed to formal recognition and compensation for discovery of reproducible and legitimate vulnerabilities, provided they are disclosed responsibly. Our goal with the Bug Bounty project is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in FCA’s vehicles and connected services,” said FCA.

The auto giant said it would investigate legitimate reports and “make every effort to correct any valid vulnerability as quickly as possible.” As part of the program’s responsible disclosure guidelines, FCA noted it would not take legal action against researchers participating in the program provided their compliance. Domains and applications in scope of the program include:

• Vehicle Head Units, TPMS sensors, remote keyless entry, and any other system that is present in a hardware product that you own or are authorized to test against (Vehicle/Smart Phone app/etc.)
• UConnect public facing web application
• *.driveuconnect.com and all regional derivatives
• UConnect Access Mobile Application for iOS and Android
• Moparownerconnect.com

In a blog post, Founder and CEO of Bugcrowd Casey Ellis said: “2015 was the year the public perception of automobile safety changed forever… Chris Valasek and Charlie Miller’s notorious Jeep Cherokee hack transformed the idea of the humble automobile into a 2-tonne computer that can be hacked just like any other.” 

“In recent years, automakers are realising that hackers just like Charlie and Chris are already at the table, ready and willing to help, and are leveraging the work coming out of this community to make their products safer from cyber threats,” Ellis added.

Fiat Chrysler joins automakers Tesla and General Motors, who launched similar programs earlier this year. According to WIRED, Tesla has paid as much as $10,000 to hackers who reported vulnerabilities in its vehicles. Meanwhile, GM’s vulnerability disclosure program does not offer researchers financial compensation.