Fiat Chrysler puts bounty on car cybersecurity bugs

Car hacks may very well be the next big battleground in cybersecurity, and Fiat Chrysler is the first automaker to put a bounty on bugs that could potentially cripple its vehicles – or worse. FCA US (Fiat Chrysler Automobiles US) will offer security researchers up to $1,500 apiece for spotting potential security vulnerabilities, such as those discovered in its infotainment system which made headlines last year.

Then, software engineers found that loopholes in the cellularly-connected Uconnect dashboard computer could be used to remotely tap into several car systems, including affecting the engine management.

Fiat Chrysler subsequently updated its network and released a firmware update for Uconnect that patched the glitch, present in 1.4 million cars in the US.

While the Jeep incident may be the best known of the exploits, it's by no means the only such concerning example as hitherto independent car systems suddenly find themselves online with inadequate security. Indeed, the FBI has warned that car security is almost certain to be the next big focus for hackers.

IT industry stalwarts like Apple, Microsoft, and Google have long had bug bounty programs, rewarding security researchers for flagging possible problems rather than releasing details of such exploits before they've had a chance to patch them. The auto industry is late to the game, though other companies are almost certain to follow FCA US' lead.

The FCA US bug bounty program is being run by Bugcrowd, an enterprise security testing specialist that has already been used by Tesla among others.

"The consumer is starting to understand that these days the car is basically a two ton computer," CEO Casey Ellis said of the deal, which will see Bugcrowd assess payouts ranging from $150 to $1,500 depending on how critical the vulnerability is, and the scope of how many people it could impact.

Currently, rewards are available for bugs found in FCA US' iOS and Android apps, as well as the Uconnect site. There's a long list of exceptions, however, including denial of service attacks and exploits that are based on third-party software like Adobe Air.

Notably, by taking part in the program the bug-hunters agree not to publicly disclose any details of the vulnerabilities they find. In fact, there's every chance that possible hack vectors will go entirely unannounced, with the automaker withholding final judgement on the matter.

"FCA US may make research findings public, based upon the nature of the potential vulnerability identified and the scope of impacted users, if any," Fiat Chrysler said in a statement today.

MORE FCA US