Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tesla Rewards Hackers With Bug Bounty

Posted by samzenpus on from the here's-a-few-bucks dept.

An anonymous reader writes: Tesla Motors is offering up to $1,000 to anyone who uncovers security issues on its website. Forbes reports that the program is not yet available for its vehicles however. Using a security crowdsourcing company called Bugcrowd, researchers have found 22 bugs for Tesla so far. A statement on the Tesla Bugcrowd page reads in part: "We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process."

33 comments

  1. up to $1K by turkeydance · · Score: 5, Insightful

    or down to nothing.

    1. Re:up to $1K by schlachter · · Score: 3, Insightful

      yeah, will never happen with their cars. way too much risk.

      never understood why companies don't pay out big $$ for these bugs. has to be worth way more than $1K to them.

      --
      My God can beat up your God. Just kidding...don't take offense. I know there's no God.
    2. Re:up to $1K by Anonymous Coward · · Score: 0

      or down to nothing.

      Actually "up to $1000" includes all negative numbers. In practice, this is truncated at $0, but unnecessarily.

    3. Re:up to $1K by Anonymous Coward · · Score: 0

      Also, yet another company on the bug bounty bandwagon is 'news for nerds' because? Weeeeee, Elooon Muuuusk on Slaaaaaashdoooooot. He's sending us to spaaaaaace.

    4. Re:up to $1K by Anonymous Coward · · Score: 0

      Doesn't matter what it's 'worth' if they are facing a competitive market. The lowest bidder will get the bounty, and the difference between what's 'worth' and what it cost, called 'consumer surplus' will remain with the, well, consumer. Now, if there was only one provider of bug-fixing services, costs will get steeper, up to the full value of what it's 'worth'.

    5. Re:up to $1K by schlachter · · Score: 2

      you're missing the market. first off, people will not make an effort to find the bugs unless the price is right. plenty of high quality people won't try for $1K, leaving bugs undiscovered, at least by white hats. second, if there isn't decent compensation for finding the bugs, some people will sell them on the black market, where they could go for much much more.

      --
      My God can beat up your God. Just kidding...don't take offense. I know there's no God.
  2. Bug bounties in general by WorldWarPi · · Score: 0, Flamebait

    I know Knuth traditionally offers bounties on errors found in Art of Computer Programming and that recently I've heard of several high-profile companies such as Google and Microsoft offer them, but it seems to me that to enter the same game as the cybercriminals and extortionists is one that cannot be won. And it is not only the money: ronin bug finders are not going to be systematic or even able to pore over code and finding errant implementations as the original architects, project leaders and coders. And even the best black box testing has some logic routes way over-tested, while other code is not touched at all. Probably the overall effectiveness goes as the logarithm of the crowd source. Offering bounties is an admission that the coding & testing design is deficient.

    1. Re:Bug bounties in general by drinkypoo · · Score: 1

      but it seems to me that to enter the same game as the cybercriminals and extortionists is one that cannot be won.

      That's why they call it a war, and not just a battle. But you can be ahead of your neighbors, and if they are more attractive targets, then you may well be attacked less, let alone compromised. I don't have to outrun the bear, said the lawyer to his friend, I just have to outrun you.

      Seriously, though, it's cheaper to pay a little bounty than to have your site exploited, if you can in fact get people to bite for small payouts.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Bug bounties in general by Anonymous Coward · · Score: 0

      ...Seriously, though, it's cheaper to pay a little bounty than to have your site exploited, if you can in fact get people to bite for small payouts.

      You know, in the old days, we just called this bullshit extortion.

      Funny how times change and lobbyists get exactly what they want every fucking time.

    3. Re:Bug bounties in general by mongothesecond · · Score: 1

      Early last year there were over 300 bug bounty programs advertised on the internet. Right around 10% of them offered more than $100 for high severity bugs or security vulnerabilities. Most of them rewarded the reporter with a t shirt or mentioned on a corporate website in lieu of financial compensation.

    4. Re:Bug bounties in general by Geistmaus · · Score: 1

      Extortion is when the discoverer of the bug states "Pay me or I'll use this bug to hack you." You could perhaps make a viable argument that blackmail is when anyone with knowledge of the bug states "Pay me or I'll exercise my free speech Rights." But there's a lurking negligence issue here. If the man hours versus bounty payout to discover a bug comes in at under the minimum wage, then any half-wit lawyer could make a viable argument that these for-profit companies had reckless disregard about the safety and or suitability of their product. A full-wit lawyer could make a viable argument that any for-profit company that relied on volunteerism for a significant portion of its quality control exhibited reckless disregard.

    5. Re:Bug bounties in general by Tontoman · · Score: 1

      This would be a great way for a young, gifted, educated network Security expert to break into the job market. The bug bounty is nice. But there would be more value in mentioning on a resume, and using a photograph of the check as proof of being an effective white-hat.

    6. Re:Bug bounties in general by sexconker · · Score: 1

      The extortion comes from being forced into either accepting the conditions of the bug bounty programs or going to federal pound-me-in-the-ass prison.

      The bug bounty programs are set up as a PR move. They encourage "responsible disclosure" and offer amounts of money that look large to the uninformed public, but are a joke compared to the effort required to find and report and follow up on the bugs, let alone the actual value to malevolent hackers.

      If a security researcher finds a significant bug affecting $BIG_CORP they have 3 options:

      Publish details publicly. The absolute quickest way to get it fixed. Also the quickest way to end up in jail on all sorts of trumped up and imagined charges.

      Sell it on the "black market". Profitable and, if done intelligently, legal. The second quickest way to get it fixed as it will be used by the people you sell it to.

      Engage in "responsible disclosure", contact the company, file the bug report according to their procedures, wait weeks or months for initial contact, wait for them to verify the bug or pretend it's not an issue, then wait for them to say it's fixed even though it isn't, then wait for your joke of a check (if they decide you met all the requirements of their bug bounty program).

    7. Re:Bug bounties in general by Anonymous Coward · · Score: 0

      I can't pay you for the photo shoot, but if you sign the model release, you get copies of the pictures and you can use them to promote yourself.
      Paint the house for up to $50 bucks. You can use it as a reference when applying for a job as a painter.

      There are always going to be suckers who expect career benefits on top of the pittance they get in return for providing professional work as part of a competition or bounty, but that doesn't make it any less of a rip-off. If you want the work done, then commission it and pay for it. Competitions and bounties for work that you need done are bullshit. Does Tesla really expect hackers with the necessary skill set to put in the work for no pay if they don't find anything?

    8. Re:Bug bounties in general by Anonymous Coward · · Score: 0

      And even more value to keep to yourself and use to your advantage later, considering how working for others is now an even more unprofitable venture than ever since all the corporate cronyism, H1Bing, law-buying, and off-shoring.

    9. Re:Bug bounties in general by caferace · · Score: 1

      It took me about an hour to find a serious security bug in their website. As it turned out, it was a duplicate. It really wasn't rocket science with the tools available. What they *are* saying is "we won't hold you liable for trying to hack us". That's an incentive unto itself.

  3. Reward up to $1000? by Anonymous Coward · · Score: 0

    Whenever I hear that, I think "Oh, one dollar and 99 cents in my case."

  4. Riiiiiiiight. by mongothesecond · · Score: 3, Insightful

    They want to pay "hackers" less than pen testers, with ambiguous escrow or payout deadlines, and trust that all vulnerabilities found are reported, or reported well. What could possibly go wrong.

    1. Re:Riiiiiiiight. by drinkypoo · · Score: 2

      They want to pay "hackers" less than pen testers, with ambiguous escrow or payout deadlines, and trust that all vulnerabilities found are reported, or reported well. What could possibly go wrong.

      From where I'm sitting, it looks pretty good; people will try to hack them anyway, if people report vulns they can reward them with whatever amount they like, it's cheap to do.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. What more do you expect from Elon Musk? by Anonymous Coward · · Score: 0

    He pays the salesmen for his cars near minimum wage and they have no commission. They will make more money working for Best Buy. He won't pay for IT security either.

  6. Subsidy overrun by srussia · · Score: 1

    ...and the check is in the mail!

    --
    Set your phasers on "funky"!
  7. Tesla insults hackers with bug bounty by Anonymous Coward · · Score: 2, Insightful

    $1000 for applying highly specialized skills? UP TO?

    1. Re:Tesla insults hackers with bug bounty by Anonymous Coward · · Score: 0

      Now I'm certain there are people out there whose hobby is finding vulnerabilities on websites. If one of them happen to pay you for finding them, why not kill 2 birds with one stone. You get to do what you were going to do anyway, and you can get some reward for doing so.

  8. Only a thousand bucks??? by Eloking · · Score: 2

    Granted it's a lot better than many other that prefer to sue your ass over discovering security flaw but, compared to some other bounty reward, isn't "up to" 1K$ a little low?

    --
    Elok
  9. dem haxx0rz r in ur car nao by Anonymous Coward · · Score: 0

    Oh no, just the manufacturer trying to be popular with their corporate website. Too bad that typically ends up them looking like doofuses. But then, lots of those in the security industry. With the coloured hats and the bickering about who is more ETHICAL than the next guy.

  10. View source by lucm · · Score: 2

    Out of curiosity I went to their website and did a view-source. Apparently they use Drupal. So I'm going to add them to my "Uses drupal" bookmark folder for that time when the next Drupal security exploit comes out...

    Also for some reason they use jQuery 1.8. Isn't that version vulnerable to a known XSS exploit?

    --
    lucm, indeed.
  11. Get out your checkbook, Elon ... by PPH · · Score: 3, Funny

    ... my windshield is covered with bugs.

    --
    Have gnu, will travel.
  12. Bait And Switch by Anonymous Coward · · Score: 0

    Musk is on the hunt for the person who exposed his ponzi-scheme Telsa-Solar-Batteries and the very lucrative Federal "Welfare Queen' monies he receives.

    Be very careful!

  13. So basically, they don't hire QA Analysts by Anonymous Coward · · Score: 0

    They expect you to find their bugs,and don't hire testers.

    So they're just like Microsoft - except they pay you for finding the bugs.

  14. bahahaha by Anonymous Coward · · Score: 0

    Does the fact that you can actually get to their login page for administration count as a bug?
    https://my.teslamotors.com/user/login?destination=admin

    *facepalm*