Worried that people might be able to hack their cars, GM motors have issued a bug bounty. There is nothing wrong with that, in fact it is a normal and sensible way to find flaws in your software.
The only problem is that GM’s bounty is fixed at nothing, not a sausage, and bugger all. Apparently GM thinks that people will do its job for LOLs. On the plus side, if you do find a bug, GM will kindly agree not to sue you.
The company launched its bug “bounty” on January 5th on the web site of Hackerone, a firm that manages bounty programs on top of other firms, promising “eternal glory” to security experts who relay information on “security vulnerabilities of General Motors products and services”.
The page on Hackerone detailing how vulnerability reporters will be thanked reads “Be the first to receive eternal glory.” I other words God will love you so much you will go to heaven when you die. It is a pretty good deal and has worked for the Roman Catholic church for a couple of millennium, but it is not so sure if white hat hackers will buy it.
It is being seen as the first attempt by “old economy” giant to delve into the world of bug bounties for information on software flaws and vulnerabilities. United Airlines recently launched a similar programme on the Hackerone platform. At least it offered up to one million airmiles to researchers who find remotely executable vulnerabilities in the company’s web properties .
Researchers must also promise to hold the details of their finding until GM confirms its existence and fixes the issue.
Still, some researchers are skeptical that firms are willing to “walk the walk” when it comes to addressing and fixing reported vulnerabilities. “If we waited for Chrysler before disclosing the jeep hack, I bet it still wouldn’t be fixed,” wrote Valasek’s research partner Charlie Miller (@0xCharlie) on Twitter.