With automobiles becoming the ultimate mobile computing device, General Motors wants security researchers to report information on vulnerabilities affecting the company’s products and services.
GM’s new program, set up via HackerOne, offers no concrete rewards except a thanks from the company, so it’s more of a public coordinated disclosure program than an actual bug bounty program.
The company agreed not to sue researchers that participate in the program if they do not harm GM, its customers or other users; if they don’t compromise the privacy or safety of their customers and the operation of their services; if they don’t violate any law (including disrupting or compromising any data or vehicle that is not their own), and if they agree not to publicly disclose vulnerability details before the auto giant fixes the flaw.
Since the latter could take a long time, the company also wants the researchers to “not publicly disclose vulnerability details if there is no completion date or completion cannot be ascertained.”
This condition appears fitting as GM vehicles contain components provided by third-party suppliers, who might not have the means or resources to react and fix the problem quickly.
“For a company like GM to step forward, they’re telling every supplier that they also need a vulnerability coordination program,” said HackerOne founder and CTO Alex Rice.
Also, some flaws might be impossible to patch and a change of the vulnerable component might be the only way to plug the security hole. That means people would have to come in and get their vehicles fixed by experts.
Car hacking has been a hot topic in the last few years, and a number of researchers have set aside fears of being sued and probed connected cars for vulnerabilities. In some cases, auto makers prevented them from revealing the results of their research until the producer fixed the problem.
A report released earlier last year by U.S. Senator Edward Markey found automobile manufacturers have yet to effectively deal with the threat of hackers penetrating vehicle systems, and the driver and vehicle information they collect and share is not adequately protected.