Fiat Chrysler Starts “Bug Bounty” Program to Thwart Hackers, But There’s a Big Catch

car hackerOne year after researchers demonstrated they could remotely commandeer control of a Jeep Cherokee by exploiting a cybersecurity weakness, Fiat Chrysler Automobiles is ramping up its efforts to thwart car-hacking threats.

The automaker said this week it has established a bug-bounty program, through which independent researchers can report security flaws and receive payments ranging from $ 150 to $ 1500, depending on the severity of the problem discovered.

“We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers,” said Titus Melnyk, senior manager of security architecture for FCA.

But the payments come with a big catch. Researchers who accept the compensation must sign nondisclosure agreements that prohibit them from disclosing findings to anyone outside the company. Retaining the right to disclose vulnerabilities has been a contentious point in often-prickly relationships between car companies and independent cybersecurity researchers. Should the latter agree to sign that away, it would be a major shift in how flaws are handled and could potentially leave car owners in the dark on cyber threats in their cars.

It all depends on what you want more. From our
-perspective, we wanted to change an industry and raise
-public awareness. – Chris Valasek

In the past, many vehicle researchers have been frustrated that their discoveries were ignored by automakers and auto-related companies—and vulnerabilities went unfixed—until they shared their findings with the public.

“Some OEMs have been more mature than others with their relationships with researchers in this space,” said Jon Allen, executive director of the Automotive Information Sharing and Analysis Center (Auto-ISAC), a threat-assessment hub established by automakers to combat car hackers.

There’s no more prominent example of that friction than with FCA itself. Last year, researchers Chris Valasek and Charlie Miller discovered a series of security flaws, including a cellular one that allowed them to control steering, braking and transmission functions on a Jeep Cherokee from halfway across the country. They started sharing findings with Chrysler in October 2014; they then went public July 21, 2015. Two days later, Chrysler recalled 1.4 million affected vehicles. Several members of the U.S. Senate said they were dumbfounded that the company waited months to disclose safety problems.

A Lukewarm Response

Valasek, who joined Uber’s Advanced Technologies Center in Pittsburgh along with Miller after last summer’s exploit caught the industry by surprise, learned of Chrysler’s new bounty program Wednesday. He offered measured support of the company’s efforts but acknowledged the potential drawbacks for researchers.

“I think it is good when companies have a paid bug bounty,” he said. “I’m pretty sure almost all of them have some terms that state you don’t get paid unless you adhere to their rules, so it’s a trade-off of you wanting to talk about the subject and wanting to collect the bounty. It all depends on what you want more. From our perspective, we wanted to change an industry and raise public awareness. So a bounty of, say, $ 1500, wouldn’t have been appealing. But it might be to some.”

Some bounty programs pay considerably more. Microsoft and Google both offer up to $ 100,000 payments for information on critical vulnerabilities. Uber pays $ 10,000. Under the bounty program, Chrysler said, submissions are vetted by Bugcrowd, a third party. Once a cybersecurity researcher has agreed to the nondisclosure agreement, they can collect their bounty. Chrysler says it will decide whether to make findings public.

Barry Horowitz, a University of Virginia professor of systems and information engineering who leads research on cyber-security vulnerabilities, said bounty programs may have some benefits. But when it comes to life-and-death problems like vulnerable cars, there needs to be a more coherent national policy that sets standards for disclosure and analysis.

“Bounties are a potential solution that can help, and they’re used in other circles,” he said. “But to be the complete solution or the central thing we trust is another question . . . That’s very different than telling people who are in enforcement. That’s self-informing, and they share what they see fit. When people say they want to see how those systems are designed, they don’t give you any data. It’s not a very symmetrical view.”

Since last year’s Jeep hack, automakers have taken cybersecurity threats more seriously. Fifteen OEMs and nine suppliers have joined forces in  the industry group Auto-ISAC, which recently expanded to include suppliers, among them Delphi, AT&T, and Magna International. FCA’s creation of a bug-bounty program is the first ongoing program among automakers that pays security researchers for their efforts, although Tesla Motors compensated researchers who found vulnerabilities last summer. General Motors started a disclosure program in January, but pays researchers nothing for their reports.

Thawing A Frosty Relationship

Dating back to 2010, almost all of the discoveries of security flaws in vehicles, at least those made public, have come from independent researchers. Chrysler’s program represents an acknowledgement the company wants to be more inclusive of this outside work, and Allen said he wants to see Auto-ISAC, of which Chrysler is a member, include the contributions of outside experts who work together with companies toward a coordinated disclosure.

“Before, these guys could be screaming in the hinterland and not get a response,” he said. “If a researcher finds something now, we’ll work with them to get an intelligence report together. It will be timely and relevant. This isn’t weeks. This is days . . . I don’t think they’ll be sitting at the table during a board meeting. But having more of an open dialogue with them before it shows up in a magazine article, that is going to happen. They really want to help the industry.”

“How do things like this typically get resolved? The answer is,  a bad thing happens, and then we respond to it. – Barry Horowitz

Inclusion would mark a significant reversal in the automakers’ posture toward independent researchers. Only last year, car companies and their major lobbying arm, the Alliance of Automobile Manufacturers, argued that independent researchers do not have the legal right to examine the software that now runs dozens of critical components on cars because access to that software is protected by copyright law. Although the U.S. Copyright Office affirmed the rights of researchers in an October 2015 decision, those rights are precarious. The ruling does not go into effect until this October, and it must be renewed via another round of contentious hearings in two years.


  • Fiat Chrysler Recalls 1.4 Million Vehicles to Prevent Hacking
  • Auto Industry Unites to Take Countermeasures against Hackers
  • Mitsubishi Outlander Plug-In Hacked over Wi-Fi


In the meantime, Chrysler’s bounty program might be considered an alternative way for car companies to quiet researchers who have discovered problems. Industry insiders and independent researchers can debate the merits of that, but Horowitz worries the people impacted most by vulnerabilities—motorists—won’t realize a debate on who gets to know about security vulnerabilities in their car has taken place until a crisis has occurred.

“How do things like this typically get resolved? The answer is, a bad thing happens, and then we respond to it,” he said. “It’s all very ad hoc. And the bounty program invites the idea that we can use ad-hoc methods without knowing the full circumstances, and it’s just not the right way to do something when people’s lives are affected.”


Car and Driver Blog