A year after hacker-exposed security flaws in a Jeep Cherokee led Fiat Chrysler (FCAU) to recall 1.4 million vehicles, the automaker has decided to join forces with hackers in hopes of finding and preventing future weaknesses in their software.
The Detroit-based company, which is the seventh largest automaker in the world, has partnered with Bugcrowd to run a “bug bounty” program that offers hackers—referred to as “independent researchers”—between $150 and $1,500 per problem discovered, according to Bugcrowd. Bugcrowd already helps major companies like Western Union (WU) and Pinterest work with hackers to improve the security of their software.
Chrysler isn’t the first automaker to turn to hackers for help in improving security in their vehicles. Wired reports that Tesla offered up to $10,000 to hackers who found issues with their websites, mobile applications and hardware, and GM has called on hackers to submit reports on any issues they find, but hasn’t openly offered any payment. Fiat Chrysler will be the first of the major automakers to publicly provide financial compensation to hackers.
It’s a signal of changing times in the auto world, with car makers attempting to shift the dynamic between themselves and hackers, who previously saw the rapidly-advancing software of vehicles as alluring targets.
Industry experts are curious if hackers will find the potential payouts to be incentive enough to work with automakers, especially when tech companies dangle much bigger bait for hackers to spend time on their software (Google has offered up to $150,000 and Instagram paid $10,000 to a ten-year old boy for discovering a security flaw earlier this year).
Additionally, questions have arisen about the non-disclosure agreement that hackers must agree to when accepting payment from Fiat Chrysler for a bug, Car and Driver reports. The agreement prohibits them from sharing any information they discover with anyone outside the company. When two hackers discovered security weaknesses in the Jeep Cherokee in 2014 (including that they could remotely take over the vehicle), they began sharing data with Chrysler in October, but it wasn’t until they took the findings public 10 months later that Chrysler acted upon the information. The delayed reaction alarmed the public, drew concern from the Senate, and created distrust between automakers and the hacking community, which wondered whether public attention was always required to obtain change.
In the five days since Chrysler launched their bug bounty program, however, hackers have already discovered and been awarded for five bugs, and Bugcrowd is currently in talks with “several” automakers considering enlisting the company to operate bug bounty programs on their behalf.