General Motors (GM) has launched a program to entice white hat hackers and other expert to delve into the inner workings of its software.
The company launched a bug bounty on January 5th on the web site of Hackerone, a firm that manages bounty programs on top of other firms, promising “eternal glory” to security experts who relay information on “security vulnerabilities of General Motors products and services.” The firm is not offering monetary rewards – at least not yet. A page on Hackerone detailing how vulnerability reporters will be thanked reads “Be the first to receive eternal glory,” but does not spell out exactly what rewards are proffered.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
GM wouldn’t be the first “old economy” giant to delve into the world of bug bounties for information on software flaws and vulnerabilities. United Airlines recently launched a similar program on the Hackerone platform, offering rewards of up to one million airmiles to researchers who find remotely executable vulnerabilities in the company’s web properties (though not its planes).
GM’s program does not seem to be as restrictive, and doesn’t specify Internet domains as the subject of testing. Rather, the company promises to “not pursue claims against researchers related to the disclosures submitted through this website” as long as they meet a number of conditions, including:
- not harming GM, its customers or “others”
- providing details of their work
- not compromising the privacy or safety of customers or the operation of the companies services
- not breaking any laws
- Researchers must also promise to hold the details of their finding until GM confirms its existence and fixes the issue.
Security researchers who are working from Cuba, Iran, North Korea, Sudan, Syria or Crimea are barred from the program, as are researchers on the U.S. Department of the Treasury’s Specially Designated Nationals List.
Distinctly missing from the program is a monetary reward. That’s a bitter pill to swallow from a company with a $47 billion market capitalization. Bounty programs have become an important source of income for talented security researchers, some of whom earn hundreds of thousands of dollars a year finding holes in software from firms like Yahoo, Paypal, Twitter and Facebook. (Read my story “Glitches to Riches” over at Christian Science Monitor Passcode.)
GM earned immediate praise from security researchers Chris Valasek and Charlie Miller, whose research exposing security holes in vehicles manufactured by Fiat Chrysler attracted worldwide attention.
“Great step in the right direction to Massimilla and the whole GM team,” wrote Chris Valasek of Uber (@nudehaberdasher) in a Twitter post, an apparent reference to Jeff Massimilla, GM’s Chief of Cybersecurity.
Valasek said offering security researchers a contact and a way to disclose vulnerabilities was important, even in the absence of a monetary reward.
Still, some researchers are skeptical that firms are willing to “walk the walk” when it comes to addressing and fixing reported vulnerabilities. “If we waited for Chrysler before disclosing the jeep hack, I bet it still wouldn’t be fixed,” wrote Valasek’s research partner Charlie Miller (@0xCharlie) on Twitter.