General Motors launched a vulnerability disclosure program last week, but the carmaker is currently not offering any rewards.
The carmaker has invited researchers who find security vulnerabilities in GM products and services to submit a report via the HackerOne platform.
“There is not a specific list of products or services in scope. If a researcher has information related to security vulnerabilities in our products and services, we want to hear about it,” GM representatives told SecurityWeek.
GM is currently not offering any bounties, but the carmaker says it will continue to assess and adapt the program, and will consider recognition and incentive opportunities in the future.
Those who want to report security bugs to General Motors have to follow a set of rules in order to avoid any legal problems. Participants are instructed to avoid causing harm to GM or its customers, not violate any laws, and not compromise the privacy or safety of GM customers and the operation of its services. The vulnerability disclosure program guidelines also specify that the details of the reported flaws cannot be disclosed until the problem is resolved.
“GM takes cybersecurity very seriously, has devoted substantial resources to address it, and continues to do so,” GM said in an emailed statement. “We also value the work of third party researchers, and want to hear directly from anyone who finds a security vulnerability in one of our products or services. This program complements our overall cybersecurity program, including the work done by our team of internal experts and our collaboration with other outside specialists and third parties.”
Researchers Charlie Miller and Chris Valasek, who last year got Fiat Chrysler to recall over a million vehicles after remotely hacking a Jeep, took to Twitter to share their opinion on GM’s “bountyless” bug bounty program.
Not as excited for the ‘bug bounty’ portion of GM’s program, but just the fact that they can handle a disclosure and get a fix out is great
— Chris Valasek (@nudehaberdasher) January 8, 2016
I don’t like it. It lists rules for researchers to follow but not for automakers. https://t.co/IlgXGzYGVI
— Charlie Miller (@0xcharlie) January 8, 2016
It says if you don’t disclose before we say it’s ok, we won’t sue you. So if you do disclose early, they can sue you https://t.co/IlgXGzYGVI
— Charlie Miller (@0xcharlie) January 8, 2016
Miller and Valasek brought car hacking into the spotlight after first locally hacking a Toyota Prius and later remotely taking over a Jeep via its Uconnect in-vehicle connectivity system. The vulnerabilities they demonstrated on the Jeep affected many FCA models, including Ram, Dodge and Chrysler.
GM software has also been targeted by white hat hackers. Last year at the Def Con conference, researcher Samy Kamkar showcased a $100 gadget that allowed him to remotely capture access credentials for OnStar RemoteLink, a GM service that allows vehicle owners to locate, unlock and even start their car from a smartphone app.
In September 2014, after lawmakers started putting pressure on car manufacturers to ensure that their vehicles can’t be hacked, and after a group of researchers launched the “I am the Cavalry” initiative, GM announced the appointment of Jeffrey Massimilla as its first-ever chief product cybersecurity officer.
