General Motors Launches Bug Bounty Program

Major car manufacturer General Motors has launched a new bug bounty program seeking white-hat hackers to participate in a vulnerability disclosure program.

In an announcement, the car maker said on its HackerOne page:

If you have information related to security vulnerabilities of General Motors products and services, we want to hear from you.

The car manufacturer also stated that it will not pursue claims against white-hat hackers or security researchers. Essentially, General Motors will not sue those hackers who comply with hacking guidelines issued on the company’s HackerOne page.

One of the primary guidelines is the requirement of a detailed summary of any vulnerability found. This includes the target, tools, steps and artifacts used toward the discovery of the said vulnerability. GM adds that the steps detailed by the hacker will be used by the company to replicate the vulnerability itself.

The car maker also insisted that no hacker should publicly disclose vulnerability details until GM confirms that the bug or exploit has been fixed. If ‘complete remediation of the vulnerability’ does not come with an estimated completion, GM adds that the hacker should not disclose the vulnerability, period.

While the bug bounty program applies for hackers globally and not just the United States from where the company is based, GM exempts applicants from the following countries:

  • Cuba
  • Iran
  • North Korea
  • Sudan
  • Syria and
  • Crimea

The program is being overseen by General Motors’ cybersecurity head, Jeffery Massimilla, who took the position in 2014.

General Motor follows the trend set by Tesla who announced a bug bounty reward program during 2015’s DefCon conference in Las Vegas.

It is a practice that is certain to be adopted by more car manufacturers soon, as the subject of cybersecurity gains importance and precedence in an age where smart- and connected-vehicles is becoming the norm. Self-driving autonomous cars will only bring the spotlight on such vehicles even further, in the near future.

A group of researchers even found vulnerabilities with Tesla’s Model S and hacked the vehicle, for which Tesla duly issued patches.

The subject of car security struck the mainstream when hackers remotely hijacked a jeep, while it was being driven. The incident led to the Chrysler recall of 1.4 million vehicles. At the time, a researcher even noted that such a ‘recall’, done via USB mailed to customers, brings its own list of vulnerabilities and potential exploits.

Image credit: Flickr.