FCA U.S. in Auburn Hills has launched a public bug bounty program, which gives customers the opportunity to receive between $150 and $1,500 for reporting potential cybersecurity vulnerabilities in the auto manufacturer’s vehicles and connected services.
“There are a lot of people that like to tinker with their vehicles or tinker with IT systems,” says Titus Melnyk, senior manager of security architecture at FCA. “We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers.”
The bug bounty program will utilize Bugcrowd, a crowdsourced community of cybersecurity researchers, to review reported vulnerabilities from customers and manage payouts. The amount of the payouts is based on the level of the identified product security vulnerability.
Melnyk says the program will give FCA US the ability to: identify potential product security vulnerabilities; implement fixes and/or mitigate controls after sufficient testing has occurred; improve the safety and security of vehicles and connected services; and foster transparency within the cybersecurity community.
“Exposing or publicizing vulnerabilities for the singular purpose of grabbing headlines or fame does little to protect the consumer,” say Melnyk. “Rather, we want to reward security researchers for their time and effort, which ultimately benefits us all.”
He says the company may make research findings public, based upon the nature of the potential vulnerability identified and the amount of possible impacted users.
To report a bug, visit bugcrowd.com/fca.