CARS.COM — Rather than waiting around for hackers to exploit vulnerabilities in the cloud-connected features of its cars, Fiat Chrysler Automobiles is paying them to do it. The automaker today announced its new partnership with crowdsourced “bug bounty” platform Bugcrowd, through which it will pay cyber-security circumventers as much as $1,500 per bug to prevent malicious hacks in the future.
Bugcrowd is a bit like Uber for “cyber-security researchers” in that independent contractors can earn some extra cash by exposing weaknesses in companies’ connected systems so those security gaps can be closed. The platform manages reward payouts, which are scaled according to the size and severity of the potential threat averted.
FCA called Bugcrowd a “public channel for responsible disclosure of potential vulnerabilities.” The automaker said in a statement that “the program is one of the best ways to address the cyber-security challenges created by the convergence of technology and the automotive industry.”
The partnership will enable FCA to identify security threats, and test and implement fixes or controls while improving the safety and security of its vehicles, as well as fostering “a spirit of transparency and cooperation within the cyber-security community.” In other words, if you can’t beat ’em, pay ’em.
“Car manufacturers have the opportunity to engage the community of hackers that is already at the table and ready to help,” said Bugcrowd founder and CEO Casey Ellis, in a statement. “The consumer is starting to understand that these days the car is basically a two-ton computer.”
FCA may be one of the first major car manufacturers to tape a “Hack me!” sign to its own back, but it’s just one of several to have had suffered security breaches at the hands of hackers. A year ago this month, FCA issued a voluntary recall of 1.4 million cars, trucks and SUVs in response to the remote hacking of its Uconnect multimedia system that demonstrated how hackers could take control of the car’s electronics, air conditioning, and even the transmission and brakes.
Less than a month later, researchers from the University of California, San Diego were able to seize control of some Chevrolet Corvette functions through an OBD2 tracking dongle to disable the brakes and activate the windshield wipers. That same month, hackers were able to plug their laptops into a Tesla Model S, start it and control driving functions.
Early this year, Nissan shut down its NissanConnect EV app for the Leaf electric car after an online security expert remotely took control of the car’s climate control and seat heater, and accessed the owner’s driving history, via the internet. Just last month, hackers in Europe exploited a vulnerability in the 2017 Mitsubishi Outlander PHEV’s onboard computer, disabling the vehicle’s alarm system months before it was slated to arrive at U.S. dealerships.