Fiat Chrysler Launches Public Bug Bounty – But It’s Not All That

Screen Shot 2016-07-13 at 4.39.29 PM

In-brief: Fiat Chrysler Automobiles (FCA) has unveiled a public “bounty” program that will pay security researchers up to $1,500 dollars for information on vulnerabilities in software used in conjunction with the company’s vehicles. Don’t get too excited. 

Fiat Chrysler Automobiles (FCA) has unveiled a public “bounty” program that will pay security researchers up to $1,500 dollars for information on vulnerabilities in software used to manage the company’s connected vehicles.

The program isn’t the first by a major auto maker – GM announced a similar program in January. But it is notable because Fiat Chrysler’s Jeep Cherokee was the target of the most publicized hack in automotive history, by Chris Valasek and Charlie Miller. The researchers’ hack of a 2014 Jeep Cherokee gained worldwide attention almost exactly a year ago, in July, 2015.

Fiat Chrysler’s bounty program is being hosted by Bugcrowd, one of a handful of firms that host bounty programs on behalf of companies. The program will pay between $150 and $1,500 per bug. The company said it was launching the program to “improve our products making them safer and more reliable.”

“We have committed to formal recognition and compensation for discovery of reproducible and legitimate vulnerabilities, provided they are disclosed responsibly,” the company wrote, in describing the program. “Our goal with the Bug Bounty project is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in FCA’s vehicles and connected services.”

For those expecting FCA or other automakers to start paying the likes of Valasek and Miller for compromises of in-vehicle system, this bounty program isn’t that. FCA has limited the scope of its bounty program to a short-list of less exotic targets. Namely: FCA’s UConnect mobile applications for the iOS and Android operating systems. (Read: mobile app vulns.) Also: the company will pay for information about vulnerabilities in the driveconnect.com domain. (Read: web application vulns.) There’s no (public) bounty for CAN bus or head end/in vehicle entertainment system hacks of the kind that Miller and Valasek pulled off.

Of course, a public bounty program is often the most visible end of what might be a more extensive, private bounty offering. In such programs, firms like Bugcrowd host invite-only bounty programs for select researchers. Such a program may have preceded the public bounty program, or may run concurrently and could, hypothetically, include bounties for actual vehicle hacks.

Fiat Chrysler has not responded to a request for comment. We’ll get back when more information is available.