General Motors Launches Bug Bounty Program

General Motors Launches Bug Bounty Program

General Motors has become the first major automobile manufacturer aside from Tesla to launch a bug bounty program, after quietly introducing the scheme late last week.

The car maker has sought the help of bug bounty platform provider HackerOne to get the scheme up and running.

There are no details as yet about the level of monetary rewards to be offered to security researchers who find vulnerabilities in GM systems. But the firm’s HackerOne page is up and running with a list of guidelines for those keen to hunt for flaws.

These include that researchers don’t cause harm to GM or its customers; don’t break the law; and aren’t living Cuba, Iran, North Korea, Sudan, Syria or Crimea.

White hats are also required to provide a detailed summary of the vulnerability in question, and to “publicly disclose vulnerability details only after GM confirms completed remediation of the vulnerability.”

As embedded computing systems find their way into more and more cars, manufacturers are being forced to wake up to the potential for hackers to disrupt.

At Black Hat 2015, Charlie Miller and Chris Valasek demonstrated how attackers could remotely control the steering, brakes and other functions of a 2014 Jeep Cherokee—highlighting the potentially life-threatening nature of serious vulnerabilities in connected cars.

GM’s bug bounty launch comes after it appointed its first Chief Product Cybersecurity Officer back in September 2014. Jeffrey Massimilla looks set to head up the program as part of his role.

The news follows a decision by Tesla last year to open up its products to ethical hackers in order to improve security and iron out bugs.

Such programs are becoming increasingly commonplace in the technology industry, with the likes of Google, Facebook, Microsoft and others offering significant sums for researchers who find serious software flaws in their products.

However, the automobile industry has historically been slow to react to the fact that vehicles are vulnerable to remote cyber attacks.

In response, senators Ed Markey and Richard Blumenthal are introducing the Security and Privacy in your Car (SPY) Act, with the aim of forcing the industry to adhere to a minimum set of cybersecurity standards.

Photo © Ken Wolter/

Source: Information Security Magazine