“We have committed to formal recognition and compensation for discovery of reproducible and legitimate vulnerabilities, provided they are disclosed responsibly. Our goal with the Bug Bounty project is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in FCA’s vehicles and connected services,” said FCA.The auto giant said it would investigate legitimate reports and “make every effort to correct any valid vulnerability as quickly as possible.” As part of the program’s responsible disclosure guidelines, FCA noted it would not take legal action against researchers participating in the program provided their compliance. Domains and applications in scope of the program include:
- Vehicle Head Units, TPMS sensors, remote keyless entry, and any other system that is present in a hardware product that you own or are authorized to test against (Vehicle/Smart Phone app/etc.)
- UConnect public facing web application
- *.driveuconnect.com and all regional derivatives
- UConnect Access Mobile Application for iOS and Android
“In recent years, automakers are realising that hackers just like Charlie and Chris are already at the table, ready and willing to help, and are leveraging the work coming out of this community to make their products safer from cyber threats,” Ellis added.Fiat Chrysler joins automakers Tesla and General Motors, who launched similar programs earlier this year. According to WIRED, Tesla has paid as much as $10,000 to hackers who reported vulnerabilities in its vehicles. Meanwhile, GM’s vulnerability disclosure program does not offer researchers financial compensation.