General Motors opens bug bounty without the bounty

The only place you'd find bugs in these cars was on the windscreen
The only place you'd find bugs in these cars was on the windscreen

In a possible case of mutiny on the bounty, General Motors has launched a bug bounty program but forgot to mention the bounty.

Vulnerability hunters may be put off by the lack of financial reward and some of the conditions which the iconic American motor manufacturer has attached.

It joins Tesla in being only the second automaker to put in place formal channels for the notification of bugs in the cyber-systems aboard its increasingly complex and connected cars. However, GM's bug bounty programme (which is hosted by Hacker One) makes no mention of a financial reward. By contrast, Tesla offers up to $10,000 per flaw found, admittedly an increase on its initial offer of $25 to $1000 which was judged to be insufficient reward for the discovery of safety critical flaws.

SCMagazineUK.com contacted GM to clarify whether or not money will be offered to researchers. A spokesperson from GM said: "We will continue to assess and adapt this program, and will consider recognition and incentive opportunities in the future."

The spokesperson added: “GM takes cyber-security very seriously, and has devoted substantial resources to address it, and continues to do so.  We also value the work of third-party researchers, and want to hear directly from anyone who finds a security vulnerability in one of our products or services.”

“The GM Security Vulnerability Disclosure Program was developed with close attention to published standards related to disclosure, benchmarking of other disclosure programs, and direct interaction with the research community.”

Far from offers of monetary awards, the car manufacturer instead lays out the conditions under which it will not take bug hunters to court. These range from not causing harm to GM, its customers or others, not compromising the privacy or safety of its customers and the operation of its services, not violating criminal laws or any other laws, and not disrupting or compromising any data or vehicle that is not their own.

Researchers also have to confirm that they are not currently located in or otherwise ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea, and that they are not on the US Department of the Treasury's Specially Designated Nationals List.

Flaw finders must also “provide a detailed summary of the vulnerability, including the target, steps, tools, and artefacts used during discovery," and "publicly disclose vulnerability details only after GM confirms completed remediation of the vulnerability and not publicly disclose vulnerability details if there is no completion date or completion cannot be ascertained".

The car maker has also made no mention of whether or not it will fix any bugs in any particular timeframe.

Richard Cassidy, technical director EMEA, Alert Logic told SCMagazineUK.com that to promote effective security research and disclosure, it's important to understand who you're dealing with and what motivates them.

“Exploits have value on the ‘DarkWeb' to cyber criminal groups and these days are easily traded for a host of rewards (some financial in the form of BitCoins, other notoriety and others in reciprocal favours). Researchers – whatever side of the criminal fence they sit on – will spend a larger proportion of their time (if not all) in putting efforts into research where rewards or incentives are on offer,” he said.

Cassidy said that in the case of GM's “guidelines” to researchers, he would question how well this promotes “active research” into their security vulnerabilities, exploits or loopholes.

“Without a doubt there are indeed groups/individuals that will perform research tasks in a bid to promote their expertise and capabilities through blogs/vlogs/social media, but these are few and far between and the reality is that the biggest battle is fought with those who seek to uncover vulnerabilities for nefarious purposes.”

Tony Dyhouse, knowledge transfer director of the Trustworthy Software Initiative told SC: “Bug-bounty programs such as General Motors new programme can have the adverse effect of making automotive manufacturers complacent, and enabling them to reduce costly in-house testing of software, instead relying on the public to test their products for free.”

It's essential “that rigorous in-house testing is performed before software is released. In reality, consumers will find and report bugs anyway during normal use, but an incentive ensures further attention to the cause.” As always, in built security is better than waiting to find the vulnerabilities.

Paco Hope, principal security evangelist at Cigital told SC that the goal of bug bounty programmes is to enable software makers to engage the wider security community in a constructive and productive dialogue.

“Instead of a carrot-and-stick approach to the security community, GM appears to be offering a stick-or-no-stick approach. Although this initial approach appears tone deaf in the broader context of bug bounties, we should applaud GM's efforts because they are clearly trying to engage the security community. GM will learn more by trying to work through an existing bug bounty framework than they will learn by blazing their own trail,” he said.

The threat of hacking an automated vehicle has loomed large since that fateful moment last year when the now-notorious Charlie Miller and Chris Valasek (now at Uber) hacked a Jeep Cherokee from a laptop computer using the car's cellular connection to penetrate its entertainment system and then its connected drive systems.

While the example was shown on one particular car, Miller and Valasek were unambiguous in warning that the Jeep Cherokee wasn't unique in its vulnerability.