Tesla Encouraging "Good Faith" Security Research in Bug Bounty Program | Tripwire

Tesla Encouraging "Good Faith" Security Research in Bug Bounty Program

Posted on September 7, 2018
Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack
Electric vehicle manufacturer Tesla is encouraging what it calls "good faith" security research in its bug bounty program.
2000px-Tesla_Motors.svg_.png
In its vulnerability disclosure program, Tesla says it welcomes "the community to participate in our responsible reporting process" for the company's product offerings and services. Researchers who participate in the program must report a vulnerability along with information needed to validate the issue and give Tesla a reasonable amount of time to address the reported vehicles. They should also alter vehicles that only they own or to which they have approval to access, make an effort to avoid privacy violations and not expose others to potential safety issues. Researchers who follow those guidelines can expect to receive a bounty of up to $10,000. The company also affirms its willingness to help bug bounty hunters get their research-registered vehicles back on the road:
If, through your good-faith security research, you (a pre-approved, good-faith security researcher) cause a software issue that requires your research-registered vehicle to be updated or "reflashed," as an act of goodwill, Tesla shall make reasonable efforts to update or "reflash" Tesla software on the research-registered vehicle by over-the-air update, offering assistance at a service center to restore the vehicle's software using our standard service tools, or other actions we deem appropriate.
There are some caveats with that promise, though. Tesla clarifies that it may restrict its help to a limited number of times, that it won't cover out-of-pocket expenses such as towing and that it may de-register a vehicle previously registered for research at any time. The company goes on to note that it won't treat the input of a "good-faith security researcher" who as a copyright infringement or voided warranty. More information about the bug bounty program can be found on Tesla's website. To learn about some of the other essential bug bounty programs in operation today, click here.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!