14 DAY TRIAL // GM (General Motors), the US car manufacturer, has started a bug bounty program via HackerOne, an online platform specifically built to help security researchers safely disclose software vulnerabilities, and for companies to address them without having security flaws going public and jeopardizing their business reputation.
The new HackerOne GM bug bounty program was launched last week and follows the same policy that most companies that adhere to HackerOne's program do.
In short, GM agrees not to go after security researchers in court if they don't cause any harm or downtime to the company while investigating bugs, they do not violate any laws by stealing or downloading data from GM's services, or don't go public with their findings before GM gets a chance to fix them.
These are the three basic rules you'll find in any bug bounty program hosted on HackerOne. As soon as the HackerOne project page was created, GM proudly added a link to it on its contact page.
GM needs to fix its image following the OnStar debacle
With the launch of this bug bounty program, the company is trying to improve its image in infosec circles, after its staff took over five years to fix a vulnerability in its OnStar car management system deployed with all of its "smart" cars.
With thousands of components deployed in multiple car brands and models, professional bug hunters will surely have a lot of work on their hands. But the question is if they'll want to take up the challenge.
With HackerOne's tight rules, if another OnStar incident happens, no security researcher would be willing to keep their mouth shut for five years while GM slowly fixes critical security bugs at a snail's pace.
Security researchers are generally hot-headed when it comes to the bugs they report, and very few are willing to wait more than a few months for a multi-billion dollar corporation to fix something they consider trivial but dangerous at the same time.
No rewards listed on GM's HackerOne page
Security researchers may simply ignore the bug bounty program and choose to go public without reporting the issue to the company, just for the fame and press coverage that usually come from car hacking cases. The other downside of GM's bug bounty program is also the total lack of a rewards program.
Unlike companies like Google, Facebook, Twitter, or Yahoo, which also have HackerOne programs, GM has not specified what kind of rewards system it is going to use. We doubt a company as big as GM would not offer rewards for bug disclosures, but it has decided to keep mum for now.
This may mean it's employing a pay-per-vulnerability system that dishes out different sums of money based on each submission's complexity, details, and the presence of a PoC (proof of concept), but GM may also offer non-monetary rewards, as other companies such as American Airlines and Verizon do.
GM needs to change mentality above everything else
We contacted GM's PR for clarifications on its bug bounty program last week, but we haven't heard from them since, and nor did we see any GM representative giving out extra details to other news agencies about its program since it launched. This is surely not a good way to start out your vulnerability disclosure program, and the infosec community may not respond with the same warmth, enthusiasm, and dedication as they did to other bug bounty programs, like the ones set up by Microsoft, Twitter, Yahoo, Google, or Facebook.
GM, a prehistoric company when compared to modern tech startups, has not yet shown any kind of openness when it comes to security researchers. For that matter, nor did any other car manufacturer, with Volkswagen being the biggest offender, choosing to sue a security researcher for two years instead of fixing a simple bug in one of its keyless car start components.
Previously, GM used only internal staff to test for security bugs. While this approach kept dangerous bugs inside the company's building, it also meant that some also made it to its final products. Security research always becomes better and more intrusive as more people take a look at a problem from different angles and with different expertise.
According to The Register, GM promoted an internal staff member to the position of Chief Product Cybersecurity Officer in 2014. Jeffrey Massimilla is now tasked with aligning the company with modern security practices. The HackerOne program seems a natural step in this evolution, but more is needed. We'll need to hear about a few critical security bugs where researchers talk in positive terms about the company, instead of going public after months or years during which they were ignored or had important fixes postponed.