Hackers participating in “bug bounty” programs are a little like bounty hunters in the Old West.
Their guns have been replaced with computers (likely running Linux), and their targets are no longer cigar-chomping outlaws, but rather are potential software and security flaws.
The bounty, in the case of one such program revealed Wednesday by Fiat Chrysler Automobiles US, ranges from $150 to $1,500.
About a year after a well-publicized, remote hack of a Jeep Cherokee prompted a recall of 1.4 million of its vehicles, FCA said it is offering ethical hackers the opportunity to find bugs in its programming in exchange for the money.
The program is managed by Bugcrowd, a San Francisco-based company that manages similar programs for other companies, including Tesla Motors, which pays $100 to $10,000.
Just as other companies do, FCA’s bug-bounty program uses Bugcrowd’s already established cyber-security community and establishes a public channel where the potential software flaws can be identified transparently.
The automaker says the program will help to identify potential product security vulnerabilities and find fixes, thus improving the safety and security of FCA vehicles.
“Exposing or publicizing vulnerabilities for the singular purpose of grabbing headlines or fame does little to protect the consumer,” Titus Melnyk, senior manager of security architecture at FCA US, said in a release. “Rather, we want to reward security researchers for the time and effort, which ultimately benefits us all.”
There are limits to what the bounty-hunting hackers can identify as problems. For example, a Denial-of-Service attack against any piece of FCA infrastructure is excluded from the bounty program.
In fact, there are specific targets for FCA’s bug-bounty program, and they are focused on its Uconnect and ecoDrive platforms. Other domains or applications not listed as targets are not in the scope of the program and should not be tested, the automaker said.
You can see the list of targets and the full rules at bugcrowd.com/fca.
Last summer, two cyber security experts hacked into a 2014 Jeep Cherokee’s Uconnect infotainment system and turned the Jeep’s air conditioning on, began blasting the radio and finally killed off use of the accelerator altogether.
Charlie Miller and Chris Valasek also disabled the SUV’s brakes while it was in a parking lot. They could only gain control of its steering while it was in reverse.
FCA has since patched the vulnerable element, which it took Miller and Valasek several months to identify, but it also voluntarily recalled 1.4 million cars and trucks in the U.S. to update software of their radio systems.