In July of last year, two hackers demonstrated the ability to remotely gain access to a moving Jeep Cherokee. The hackers were able to blast cold air through the vents, play music through the speakers, appear on the display system on the dashboard, and finally disable the SUV and leave it stranded on the side of the highway.
The vulnerability that the hackers utilized was a zero-day exploit. They did not use their discovery to terrorize people, but it allowed the automobile manufacturer to recall vehicles and fix the issue before some other hackers were able to.
The incident is probably the inspiration for the bug bounty program that Fiat Chrysler has launched on Bugcrowd, which will give hackers amounts between $150 and $1,500 for vulnerabilities that they find in the car company's software. The amount that Fiat Chrysler will award will depend on the severity of the discovered exploit, as the company looks to tap into the 30,000 members of Bugcrowd to assist the company in tracking and patching up issues in its systems.
"Our goal with the Bug Bounty project is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in FCA's vehicles and connected services," Fiat Chrysler said on the Bugcrowd page for its program, adding that it will be investigating all reports that hackers would send in and would apply the necessary fixes as fast as possible.
The bug bounty program is focused on the connected vehicles of Fiat Chrysler, along with the systems that operate within the vehicles and the external services and apps that interact with these systems.
"Exposing or publicizing vulnerabilities for the singular purpose of grabbing headlines or fame does little to protect the consumer," said the company's senior security manager Titus Melnyk, who added that instead, Fiat Chrysler would want to reward the people who discover the issues, which would be beneficial for all parties involved.
Fiat Chrysler is the first automobile manufacturer with a complete vehicle lineup including cars and trucks to start a bug bounty program. Electric car manufacturer Tesla Motors has also previously launched such a program, which offers much higher rewards of up to $10,000.
Bug bounty programs have proven to be a lucrative venture for hackers, as companies are beginning to offer massive amounts for the detection of exploits. A report released in May revealed that Twitter shelled out over $300,000 over the previous two years to bug bounty hunters, while the Pentagon launched a bug bounty program in April that can pay hackers up to $150,000 for a discovered critical security liability.