Fiat Chrysler Debuts Bug Bounty Program

A year ago, IT security researchers hacked the onboard computer in Fiat Chrysler's Jeep Cherokee. Now, the company is launching its first public bug bounty program.

bug bounty program

Fiat Chrysler Automobiles (FCA) has the inauspicious distinction of being perhaps the first major auto vendor in the world to issue a vehicle recall due to IT security flaws. Now a year after researchers Charlie Miller and Chris Valasek detailed flaws in FCA's vehicles including the Jeep Grand Cherokee that led to the recall of 1.4 million vehicles, FCA is launching a bug bounty program.

The bug bounty program will award researchers up to $1,500 per vulnerability that is responsibly disclosed to FCA. The bug bounty will be operated by third-party bug bounty platform provider Bugcrowd.

"Bug bounties are incredibly effective, but they aren't a trivial undertaking," Casey Ellis, CEO and founder of Bugcrowd, told eWEEK. "FCA chose the measured approach, along with partnering with Bugcrowd, to make sure their program is successful for both the hackers who participate and FCA itself."

Bugcrowd isn't the only vendor that provides managed bug bounty programs. Other vendors include HackerOne, which recently conducted the "Hack the Pentagon" program for the U.S. Department of Defense. Ellis said that FCA did its due diligence and settled on Bugcrowd as its vendor of choice. Overall, he noted that as the market for bug bounties evolves, he is seeing adoption of the concept as a whole.

"Given that the rising tide floats all boats, that means all of the providers are seeing successful takeup in the parts of the market they've decided to focus on," Ellis said.

Bugcrowd tracks the cost of bug bounties in a report it updated in June. According to the "2016 State of Bug Bounty" report, the average bug bounty payout is now $500.

"One of the interesting phenomena in bug bounty programs is that it's very easy to boost your rewards up, and quite difficult to bring them down," Ellis said. "On that basis we recommended that FCA starts with rewards that are economically reasonable for them, while providing a good incentive to activate the community."

Ellis expects the FCA bug bounty rewards to increase over time. He also noted FCA will pay $1,500 for the most severe vulnerability, although it is at FCA's discretion to go beyond that amount if the company sees fit.

Bugcrowd is no stranger to helping the automobile industry—it already runs a bug bounty program for electric car maker Tesla.

"Tesla started early and has done a phenomenal job in developing a relationship with the hacker community to make their cars safer," Ellis said. "The key difference is in the age of the company, and the number of vehicles on the road. FCA has been around a long, long time, which is what makes this program both historic and unique."

The researchers who first disclosed flaws in FCA vehicles at the Black Hat USA 2015 conference, Miller and Valasek, are speaking at the 2016 event and are scheduled to disclose new automobile flaws on Aug. 4.

"Marketing to the supply side [i.e., the hackers] is a key part of a successful bug bounty program, and I expect that any buzz generated by the vulnerabilities that Miller and Valasek have discovered will help with overall traction for the program," Ellis said. "As for the vulnerabilities themselves, now Miller and Valasek have a clear vehicle to communicate these to FCA, and a clear expectation set of what they can expect from FCA in return."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.