Fiat Chrysler Will Pay $1,500 Bug Bounties To Hackers Who Uncover Security Flaws

Image courtesy of Ralph Krawczyk Jr

Nearly four months after the FBI warned carmakers that their products were “increasingly vulnerable” to hacking, Fiat Chrysler has unveiled its plan to combat any future hack attacks: launch a so-called “bug bounty” program to pay members of the public for finding security flaws in its vehicles. 

Fiat Chrysler unveiled the program on Wednesday in an attempt to enhance the safety and security of its consumers, their vehicles, and connected devices.

The program will be operated by the Bugcrowd platform, which will use a crowdsourced community of cybersecurity researchers to uncover issues and properly report them to FCA.

Under the program, FCA says Bugcrowd will provide payouts to researchers based on the severity of the security flaw identified and the scope of impact it poses. The vulnerabilities will range in payouts of $150 to $1,500.

FCA says that by using Bugcrowd to operate the bounty program, it will be able to identify potential product security vulnerabilities; implement fixes and/or mitigating controls after sufficient testing has occurred; improve the safety and security of FCA US vehicles and connected services; and foster a spirit of transparency and cooperation within the cybersecurity community.

The program, FCA says, is one of the best ways to address the cybersecurity challenges created by the convergence of technology and the automotive industry,” the company said in a statement.

“There are a lot of people that like to tinker with their vehicles or tinker with IT systems,” Titus Melnyk, senior manager – security architecture for FCA, said in a statement. “We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers.”

Depending on the nature of the flaw uncovered, FCA says it could make the research findings public.

“The safety and security of our consumers and their vehicles is our highest priority,” Sandra Hosler, a cybersecurity system official with FCA, said in a statement.

FCA, of course, is no stranger to vehicle hackings and security flaws. Last year, the carmaker recalled 1.4 million vehicles that could be susceptible to remote hack attacks just a few days after researchers teamed up with a reporter to show how a Jeep Cherokee could be controlled wirelessly from miles away.

The recall included a software update that addressed certain radios that could be the subject of cyber hacking. FCA noted in a statement on the recall that no vehicles outside the United States are impacted and says the company had not received any related complaints, warranty claims, or accidents outside of the Wired.com demonstration.