Fiat Chrysler Automobiles Launches Bug Bounty Program For Vehicle Cybersecurity

AUBURN HILLS – Hackers can get paid a bounty up to $1,500 if they discover potential vehicle cybersecurity vulnerabilities, depending on its impact and severity.

That’s the program launched Wednesday by FCA US LLC, the American arm of Fiat Chrysler Automobiles. FCA also named the crowdsourced security testing firm Bugcrowd Inc. to manage the program.

“There are a lot of people that like to tinker with their vehicles or tinker with IT systems,” said Titus Melnyk, senior manager of security architecture, FCA US LLC. “We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers.”

The FCA US bug bounty program may be found at https://bugcrowd.com/fca.

FCA officials said the new Bugcrowd program gives them the ability to identify potential product security vulnerabilities, implement fixes after sufficient testing has occurred; improve the safety and security of FCA US vehicles and connected services; and foster a spirit of transparency and cooperation within the cybersecurity community.

“Exposing or publicizing vulnerabilities for the singular purpose of grabbing headlines or fame does little to protect the consumer,” Melnyk said. “Rather, we want to reward security researchers for the time and effort, which ultimately benefits us all.”

“Automotive cybersafety is real, critical, and here to stay,” Bugcrowd CEO and founder Casey Ellis said. “Car manufacturers have the opportunity to engage the community of hackers that is already at the table and ready to help, and FCA US is the first full-line automaker to optimize that relationship through its paid bounty program. The consumer is starting to understand that these days the car is basically a two ton computer. FCA US customers are the real winners of this bounty program; they’re receiving an even safer and more secure product both now and into the future.”

FCA US may make research findings public, based upon the nature of the potential vulnerability identified and the scope of impacted users, if any.

Last year, FCA US said it contacted customers about a potential vulnerability associated with certain radios, and provided the software update and permanently closed remote access to the open port on the radio, eliminating the risk of any long-range remote hacking, all before issuing a recall.

More at http://www.bugcrowd.com or http://www.fcanorthamerica.com.

About the Author: Mike Brennan

Founder of Michigan News Network, and serves as CEO, as well as Editor & Publisher of MITECHNEWS.COM. Brennan has worked since 1980 as a technology writer at newspapers in New York, NY, San Jose, CA., Seattle, WA., Memphis, TN., Detroit, MI., and London, England. He co-founded and served as managing editor of Pacific Rim News Service (SEATTLE), which developed a network of more than 100 freelance journalists in 17 Asia-Pacific countries.