In-brief: Security experts are divided on Fiat Chrysler’s new bug bounty program, with some decrying small dollar awards, while others argue the company may have moved far too quickly in offering cash rewards to begin with.
Fiat Chrysler this week became just the third, major automaker to offer a public “bounty” program, challenging hackers to find flaws in its vehicles and the software that runs them. It is just the second vehicle maker – after Elon Musk’s Tesla – to offer cash rewards in exchange for information on certain types of vulnerabilities.
But security experts are divided on the company’s bounty program, with some saying the low dollar rewards will provide little incentive to the best researchers and others worry that Fiat Chrysler may have moved far too quickly with its public bounty program by providing cash incentives for information on security flaws in its connected cars.
Fiat Chrysler’s announcement came a year after two researchers, Charlie Miller and Chris Valasek, demonstrated a remote, wireless software attack on a 2014 Jeep Cherokee as a Wired reporter drove on a crowded highway. That demonstration and the subsequent uproar prompted the company to recall 2.4 million vehicles to address the security flaws identified by Miller and Valasek.
Miller and Valasek, who now work at Uber, both offered qualified praise Fiat Chrysler for launching the bounty program and offering cash rewards for vulnerabilities. “Generally, it’s good that they’re paying,” said Valasek in an e-mail message to Security Ledger.
The program also won praise from Craig Smith of Theia Labs, a noted car hacker. “I think it’s great that they are participating in a bug bounty program. The auto industry used to send lawyers with cease and desist letters. Having a bug bounty program is a great step to identifying and addressing issues,” Smith wrote to Security Ledger in an e-mail.
However, researchers agreed that Fiat Chrysler’s $1,500 reward wouldn’t be much incentive for a capable researcher to spend the time and effort to discover a vulnerability in a vehicle.
“$1,500 for a car bug that would require a car and lots of time to find probably isn’t worth it to most people,” Valasek wrote. Miller echoed those sentiments in a message sent from his Twitter account @0xcharlie. “$1500 seems cheap to me, but at least its paid (looking at you GM). I think it’s the first company besides Tesla to do that,” he wrote.
Corman also noted that the bounty seems to imply that “proof of concept” code from researchers -a working attack – is a requirement for legal immunity. He said that sets a high bar, as proving that a vulnerability exists is much easier than creating an attack to exploit the hole. And the implied uncertainty around legal immunity from prosecution under the federal Digital Millenium Copyright Act may well scare away any takers.
“You’re talking about a low payout for a high burden of proof,” Corman said.
Not so fast
Researchers and advocates for better software security in the automotive sector also expressed concern that Fiat Chrysler’s announcement seemed to come from nowhere and that the firm may have moved too far, too fast into the global marketplace for software vulnerabilities.
“It’s important that they are starting their journey. That’s the positive thing,” said Joshua Corman of the group IAmTheCavalry, which advocates for improved software quality and security in areas like automotive, medicine, home and public infrastructure. The group has advocated for a “Five Star Safety Rating System” for automotive software, akin to the physical safety ratings for cars.
Corman said his group advocates a “crawl, walk, run” model for companies to engage with the independent security researcher community through programs like bug bounties. By that model, Fiat Chrysler appears to have gone from a standstill to a sprint.
The notion of simply throwing open the doors to top vulnerability researchers can be alluring, Corman said. But non-software companies rarely have the people and processes in place to deal with the fallout from such an action, Corman said.
Bounty programs that don’t offer cash rewards will generate less interest from the researcher community, Corman said. But that’s not a bad thing if the company is new to the bug bounty game.
As an example, GM’s bounty program, launched in January, does not offer any monetary reward for discovered vulnerabilities. Even without a payout, GM has still received a strong response from the security community since being launched, Corman said. Tesla Motors, one of the most technologically sophisticated automakers, launched a recognition-only vulnerability bounty program in 2013* and began offering small cash rewards, between $25 and $1,000 in June, 2015 for vulnerabilities in a small list of web domains. The company eventually extended the list of targets to vehicles and stepped up monetary rewards.
“During the ‘crawl’ stage, we’re not encouraging bug bounties, period,” Corman said. “We believe that’s an intermediate or an advanced step.” Better to start with a program that offers recognition, but no rewards, and then step up to small dollar and then larger monetary rewards, he said.
Researchers, as well as those who have been working with auto industry leaders and policymakers to improve software security and reliability also said the Fiat Chrysler program took them by surprise.
“Seems a little strange, considering we were on the phone with (Fiat Chrysler) last week, that I had to hear about it from @rantyben,” Miller said via his Twitter account on Thursday, referring to the Fiat Chrysler bug bounty program.
Corman said that Fiat Chrysler has not participated in open meetings with the National Telecommunications and Information Administration (NTIA) and other leading automakers and industrial firms where bounty programs and software security were discussed.
“To my knowledge, (Fiat Chrysler) have not been there,” he said.
The lack of engagement with the larger community shows in the way the company’s bounty was worded and the way the overall program was structured, Corman said. Among other things, Corman noted Fiat Chrysler’s description of its program as “a public channel for responsible disclosure of potential vulnerabilities.”
That phrase, “responsible disclosure,” is freighted, recalling a decades old debate between researchers and private software firms like Microsoft, Adobe and Oracle about the proper protocols for disclosing software vulnerabilities in the days before such information had a price tag attached to it.
The phrase “responsible disclosure” is a “trigger word” and point of conflict between vulnerability researchers and the companies whose software they are analyzing – an attempt to “moralize and paint researchers as irresponsible,” Corman noted.
Conversations between groups like IAmTheCavalry, the NTIA and other large, industrial firms, including GM, Ford, Honda and Johnson & Johnson addressed issues around nomenclature and would certainly have flagged that phrase had Fiat Chrysler vetted the program prior to releasing it, he said.
Bounty programs have gained adherents within the highest ranks of the U.S. government and the defense community. The Department of Defense recently completed a successful “Hack the Pentagon” bounty program and officials at the U.S. Department of Health and Human Services are considering launching a similar program aimed at medical devices and other healthcare systems.
(*) Editor’s note: this story has been changed to clarify that Tesla’s bounty program began in 2013 with no cash rewards. Its paid bug bounty program began in 2015.