Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

General Motors Launches Vulnerability Disclosure Program

General Motors launched a vulnerability disclosure program last week, but the carmaker is currently not offering any rewards.

The carmaker has invited researchers who find security vulnerabilities in GM products and services to submit a report via the HackerOne platform.

General Motors launched a vulnerability disclosure program last week, but the carmaker is currently not offering any rewards.

The carmaker has invited researchers who find security vulnerabilities in GM products and services to submit a report via the HackerOne platform.

“There is not a specific list of products or services in scope. If a researcher has information related to security vulnerabilities in our products and services, we want to hear about it,” GM representatives told SecurityWeek.

GM is currently not offering any bounties, but the carmaker says it will continue to assess and adapt the program, and will consider recognition and incentive opportunities in the future.

Those who want to report security bugs to General Motors have to follow a set of rules in order to avoid any legal problems. Participants are instructed to avoid causing harm to GM or its customers, not violate any laws, and not compromise the privacy or safety of GM customers and the operation of its services. The vulnerability disclosure program guidelines also specify that the details of the reported flaws cannot be disclosed until the problem is resolved.

“GM takes cybersecurity very seriously, has devoted substantial resources to address it, and continues to do so,” GM said in an emailed statement. “We also value the work of third party researchers, and want to hear directly from anyone who finds a security vulnerability in one of our products or services. This program complements our overall cybersecurity program, including the work done by our team of internal experts and our collaboration with other outside specialists and third parties.”

Researchers Charlie Miller and Chris Valasek, who last year got Fiat Chrysler to recall over a million vehicles after remotely hacking a Jeep, took to Twitter to share their opinion on GM’s “bountyless” bug bounty program.

Miller and Valasek brought car hacking into the spotlight after first locally hacking a Toyota Prius and later remotely taking over a Jeep via its Uconnect in-vehicle connectivity system. The vulnerabilities they demonstrated on the Jeep affected many FCA models, including Ram, Dodge and Chrysler.

GM software has also been targeted by white hat hackers. Last year at the Def Con conference, researcher Samy Kamkar showcased a $100 gadget that allowed him to remotely capture access credentials for OnStar RemoteLink, a GM service that allows vehicle owners to locate, unlock and even start their car from a smartphone app.

In September 2014, after lawmakers started putting pressure on car manufacturers to ensure that their vehicles can’t be hacked, and after a group of researchers launched the “I am the Cavalry” initiative, GM announced the appointment of Jeffrey Massimilla as its first-ever chief product cybersecurity officer.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.