Security Experts:

General Motors Launches Vulnerability Disclosure Program

General Motors launched a vulnerability disclosure program last week, but the carmaker is currently not offering any rewards.

The carmaker has invited researchers who find security vulnerabilities in GM products and services to submit a report via the HackerOne platform.

“There is not a specific list of products or services in scope. If a researcher has information related to security vulnerabilities in our products and services, we want to hear about it,” GM representatives told SecurityWeek.

GM is currently not offering any bounties, but the carmaker says it will continue to assess and adapt the program, and will consider recognition and incentive opportunities in the future.

Those who want to report security bugs to General Motors have to follow a set of rules in order to avoid any legal problems. Participants are instructed to avoid causing harm to GM or its customers, not violate any laws, and not compromise the privacy or safety of GM customers and the operation of its services. The vulnerability disclosure program guidelines also specify that the details of the reported flaws cannot be disclosed until the problem is resolved.

“GM takes cybersecurity very seriously, has devoted substantial resources to address it, and continues to do so,” GM said in an emailed statement. “We also value the work of third party researchers, and want to hear directly from anyone who finds a security vulnerability in one of our products or services. This program complements our overall cybersecurity program, including the work done by our team of internal experts and our collaboration with other outside specialists and third parties.”

Researchers Charlie Miller and Chris Valasek, who last year got Fiat Chrysler to recall over a million vehicles after remotely hacking a Jeep, took to Twitter to share their opinion on GM’s “bountyless” bug bounty program.

Miller and Valasek brought car hacking into the spotlight after first locally hacking a Toyota Prius and later remotely taking over a Jeep via its Uconnect in-vehicle connectivity system. The vulnerabilities they demonstrated on the Jeep affected many FCA models, including Ram, Dodge and Chrysler.

GM software has also been targeted by white hat hackers. Last year at the Def Con conference, researcher Samy Kamkar showcased a $100 gadget that allowed him to remotely capture access credentials for OnStar RemoteLink, a GM service that allows vehicle owners to locate, unlock and even start their car from a smartphone app.

In September 2014, after lawmakers started putting pressure on car manufacturers to ensure that their vehicles can’t be hacked, and after a group of researchers launched the “I am the Cavalry” initiative, GM announced the appointment of Jeffrey Massimilla as its first-ever chief product cybersecurity officer.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.