Web security is something that every company should be concerned about, but not all of them take it seriously. Even for the ones that do, people looking to exploit vulnerabilities have so many resources available to do so, it can still be difficult to stop them. One of the solutions to this problem is to offer rewards to anyone who finds a vulnerability and tells them about it – essentially crowdsourcing their own security.
It’s possible to do so informally, which Tesla has been doing with its Hall of Fame, but according to Forbes, Tesla recently formalized its program on the popular site Bugcrowd. The bounties offered range from $25 to $1,000 for any bugs found on its website.
“We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process,” said Tesla on its Bugcrowd page.
The amount offered is significantly lower than what other major companies have offered. Facebook and Google, for example, have paid $22,000 and $33,000 respectively for issues that people have found. Still, Tesla has been commended by the security community for its willingness to work with outsiders to improve its site. Currently, the bounty only applies to Tesla’s website, and the community is being asked to give the company “a reasonable time to correct the issue before making any information public.”
Curiously absent for now, though, is any formal reward structure for contributors who find problems with Tesla’s other products. The Bugcrowd post asks that any problems found with Tesla’s vehicles be reported to the company directly instead of through the site, but no mention is made of there being a reward for finding those problems. That doesn’t necessarily mean there isn’t one, and the program may have just not been formalized yet, but its absence is still notable.
Forbes reports that “Tesla has been informed about issues in its cars and subsequently fixed them without any notice on its site to credit researchers…In none of those cases were the researchers rewarded.” One of those issues was discovered by the Chinese Internet security company Qihoo 360, and while it did once receive $10,000 for hacking a Tesla, the competition Qihoo 360 won wasn’t officially sponsored by the automaker.
As we’ve talked about before, giving vehicles more of the modern technology that consumers want creates the potential for security breaches that go far beyond making it easier for cars to be broken into or stolen. With automotive security receiving a lot more attention in the news lately, and with self-driving cars making it closer to production, expanding its reward program to include its cars and not just its website would be a huge step forward not just for Tesla but for the automotive industry as a whole.
While Tesla hasn’t stopped programmers from cracking its app and writing their own programs, other automakers have been actively working to try to keep tuners and programmers out of their cars’ computers by claiming the Digital Millennium Copyright Act applies to their vehicle management programs.
Companies certainly stand to lose a lot of money and potentially their reputations if their websites get hacked, but it’s incredibly unlikely that anyone’s life would end up in danger as a result. With cars, that danger is much more present, anything from a programming error to a complete takeover has the potential to lead to much more serious consequences.
Ted Harrington, executive partner at Independent Security Evaluators, agrees and thinks automakers should be taking security much more seriously:
“When it comes to security research, the stakes are the highest when human lives are involved. Securing the connected car is about more than just protecting data; it is about protecting lives. In that vein, auto manufacturers should be going to extreme lengths to harden their systems against the most sophisticated adversaries.
“In order to fully understand and mitigate risk, a system must go through ongoing, thorough, manual white box security assessment. With lives at stake, auto manufacturers in the era of the connected car should consider robust security assessment a business-critical mandate.”
There have been rumors that Tesla will be opening up its vehicles to hackers at a conference in August of this year, but so far, those rumors have been denied. For now, though, it’s a step in the right direction for the company to begin a formal program to make its website more secure. Perhaps if the initial program goes well, Tesla will amend it to include its vehicles within the next year.