Exclusive

In the world of automotive bug bounties, GM and Tesla take divergent roads

Tesla has paid out 159 bounties, but we don't know how much money.

Oct 28th 2016 at 8:30AM
There was a way to make the headline to this story quite salacious. For example, we could have said, "GM hasn't paid out any money for bug bounties, Tesla maybe $1.5 million." That's all technically true, but it's super misleading. In the emerging world of bug bounties in the automotive industry, things are moving fast and details are scarce.

So, let's break down the headline we didn't use to describe bug bounties - a rewards system for finding errors in programming code. All we know for sure about Tesla's program is that 159 bugs have been reported. And, at a maximum, that could come to $1.5 million. Of course, the chance that Tesla paid out that much is basically zero (Tesla's lowest payout is $100, so maybe the EV automaker only paid out $15,900. That's unlikely, too). Also, the reason General Motors hasn't paid any money for its bug bounty is not because there haven't been any bugs found in its vehicles but because it simply operates using a different method, one where it doesn't pay any bug bounties. Companies need to make their cars as secure as possible, because the threats for drivers and owners could be both physical harm as well as financial. Think of the spate of ransomware attacks on computers, but for your car, for example.

Neither Tesla nor GM wanted to get into any details about their bug bounty programs, but there is another resource: Bugcrowd. Bugcrowd is a site that tracks bounty programs, which are rewards for people who discover software vulnerabilities and then tell the company about them rather than exploit them for nefarious purposes. Michelle Dailey, Bugcrowd's director of communications, told AutoblogGreen that:

The 159 bugs rewarded number is a count of all of those that have been reported and rewarded on our platform. This means that of all submissions created by our researchers, 159 of them were unique and met the requirements of the brief for the program (targets, scope, etc.). While we can't share the specific breakdown of bugs by program without customer permission, we can share a breakdown of bugs by type across all of our programs. This is included in the 2016 State of Bug Bounty report, along with a number of other stats on number and type of vulnerability.

Bugcrowd calls Tesla's bug bounty program a "high profile example" of preventing an attempt to hack into the Internet of Things. Bug bounty programs from GM and Chrysler are other examples (on Bugcrowd, FCA has apparently paid out 48 bugs, at a cost of between $150 and $1,500 per bug). These programs are unusual for big companies, since Bugcrowd says that, "94 percent of companies on the Forbes 2000 list do not currently have a vulnerability disclosure or bug bounty program." The average for all bug bounties paid in Bugcrowd's report is $294.70, up from $200.81 in its first annual report in 2015. Tesla uses other bug bounty tracking services, and Tesla contradicted Bugcrowd's claim by telling AutoblogGreen that the 159 bugs reported on the site are not necessarily unique, and that a group of researchers could all claim the same bug, or one bug might persist across various platforms.

A Tesla spokesperson told AutoblogGreen that:

We developed Model S and Model X with the highest standards of safety in every respect. Through our responsible reporting process, a dedicated team of top-notch Tesla security professionals works closely with the researcher community to ensure that we continue to protect our systems against vulnerabilities by constantly stress-testing, validating, and updating our safeguards. Given the cutting edge nature of our technology, the security team constantly reviews and identifies new methods to defend our systems and protect our customers.

Tesla takes security and data privacy very seriously and we have had a publicly-facing vulnerability reporting program in place that encourages the security community to participate in the process. The Bug Bounty program launched in 2014 and includes our products in addition to our website.

Our over-the-air software updates remotely add new features and functionality to Model S. Similarly to how you receive updates to your smartphone, Tesla owners download these updates from Tesla via Wi-Fi or a cellular connection. A button will pop up on Model S and Model X's 17" touchscreen and an owner can select a time to download the latest version of software. The ability to receive these features and fixes is free for the life of the vehicle and is one more way that Tesla is redefining auto-ownership.

As stated on Bugcrowd, the legitimate targets for Tesla "hackers" are:
  • *.teslamotors.com
  • Any host verified to be owned by Tesla Motors Inc. (domains/IP space/etc.)
  • Mobile Applications ("Tesla Model S" on iOS and Android)
  • A hardware product that you own or are authorized to test against (Vehicle/PowerWall/etc.)
  • *.tesla.com
Tesla appreciates the white hat hacking of its vehicles - as a recent demonstration from China shows – but it hasn't updated the public list of its hacker Hall of Fame since 2014.

Over at GM, the bug bounty program is proceeding slowly. GM launched its Security Vulnerability Disclosure Program in January. Rebecca White, from GM's cybersecurity and safety communications office, told AutoblogGreen that it is an "important" part of GM's security efforts, but the company is still a bit hesitant. "As the first major automaker to launch a program such as this, we employed a very strategic crawl, walk, run approach," she said. "We have not implemented a financial component to the program to date, but continue to assess and adapt this program, and will consider recognition and incentive opportunities in the future."

This is certainly an evolving space. For an even deeper look at where we are today, read Bugcrowd's The State of Bug Bounty report from June 2016 here (PDF).

  • News Source: Bugcrowd, GM, Tesla
  • Image Credit: Bill Hinton via Getty Images

Share This Photo X