Fiat Chrysler Automobiles will start rewarding the public with cash for finding vulnerabilities and security bugs in its vehicle software, more than a year after two hackers showed how they could remotely take control of its popular Jeep Cherokee. The hack alarmed auto makers and regulators, and it led FCA to recall 1.4 million vehicles to prevent the use of a wireless connection to gain control of the vehicle.
This month, police in Houston said thieves used laptop computers to steal a 2010 Jeep Wrangler by hacking into the vehicle’s electronic ignition. The Wall Street Journal reported that police said the same method may have been used in the theft of four other late-model Wranglers and Cherokees in the Texas city. In those incidents, thieves employed the same software used to program electronic ignition keys at dealerships, rather than hacking system vulnerability.
White hat hackers—the folks hacking for good purposes, not nefarious ones—will be paid between $150 and $1,500 for each legitimate security flaw through a bug bounty program managed by Bug Crowd, a crowd-sourced cybersecurity company.
“Bug Crowd will do the initial triage,” Titus Melnyk, FCA US’s senior security manager says in a YouTube video announcing the program. If the company determines that it’s a valid submission, it will be passed along to FCA.
“The most important thing is if someone does report a vulnerability to us—that we vet out—we want to reward that person, which is why we’re going with a paid bounty program,” Melnyk says in the video.
The end goal is to not only find the bugs, but ultimately help Fiat Chrysler write better code, Casey Ellis, co-founder and CEO of Bug Crowd, says in the video, referring to the programming language used to build software. There’s another aim as well: to show the market that FCA is serious about cybersecurity.
Fiat Chrysler is the first major automaker to offer a “bug bounty” reward program.