Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tesla Rewards Hackers With Bug Bounty

Posted by samzenpus on from the here's-a-few-bucks dept.

An anonymous reader writes: Tesla Motors is offering up to $1,000 to anyone who uncovers security issues on its website. Forbes reports that the program is not yet available for its vehicles however. Using a security crowdsourcing company called Bugcrowd, researchers have found 22 bugs for Tesla so far. A statement on the Tesla Bugcrowd page reads in part: "We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process."

16 of 33 comments (clear)

  1. up to $1K by turkeydance · · Score: 5, Insightful

    or down to nothing.

    1. Re:up to $1K by schlachter · · Score: 3, Insightful

      yeah, will never happen with their cars. way too much risk.

      never understood why companies don't pay out big $$ for these bugs. has to be worth way more than $1K to them.

      --
      My God can beat up your God. Just kidding...don't take offense. I know there's no God.
    2. Re:up to $1K by schlachter · · Score: 2

      you're missing the market. first off, people will not make an effort to find the bugs unless the price is right. plenty of high quality people won't try for $1K, leaving bugs undiscovered, at least by white hats. second, if there isn't decent compensation for finding the bugs, some people will sell them on the black market, where they could go for much much more.

      --
      My God can beat up your God. Just kidding...don't take offense. I know there's no God.
  2. Riiiiiiiight. by mongothesecond · · Score: 3, Insightful

    They want to pay "hackers" less than pen testers, with ambiguous escrow or payout deadlines, and trust that all vulnerabilities found are reported, or reported well. What could possibly go wrong.

    1. Re:Riiiiiiiight. by drinkypoo · · Score: 2

      They want to pay "hackers" less than pen testers, with ambiguous escrow or payout deadlines, and trust that all vulnerabilities found are reported, or reported well. What could possibly go wrong.

      From where I'm sitting, it looks pretty good; people will try to hack them anyway, if people report vulns they can reward them with whatever amount they like, it's cheap to do.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Re:Bug bounties in general by drinkypoo · · Score: 1

    but it seems to me that to enter the same game as the cybercriminals and extortionists is one that cannot be won.

    That's why they call it a war, and not just a battle. But you can be ahead of your neighbors, and if they are more attractive targets, then you may well be attacked less, let alone compromised. I don't have to outrun the bear, said the lawyer to his friend, I just have to outrun you.

    Seriously, though, it's cheaper to pay a little bounty than to have your site exploited, if you can in fact get people to bite for small payouts.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:Bug bounties in general by mongothesecond · · Score: 1

    Early last year there were over 300 bug bounty programs advertised on the internet. Right around 10% of them offered more than $100 for high severity bugs or security vulnerabilities. Most of them rewarded the reporter with a t shirt or mentioned on a corporate website in lieu of financial compensation.

  5. Re:Bug bounties in general by Geistmaus · · Score: 1

    Extortion is when the discoverer of the bug states "Pay me or I'll use this bug to hack you." You could perhaps make a viable argument that blackmail is when anyone with knowledge of the bug states "Pay me or I'll exercise my free speech Rights." But there's a lurking negligence issue here. If the man hours versus bounty payout to discover a bug comes in at under the minimum wage, then any half-wit lawyer could make a viable argument that these for-profit companies had reckless disregard about the safety and or suitability of their product. A full-wit lawyer could make a viable argument that any for-profit company that relied on volunteerism for a significant portion of its quality control exhibited reckless disregard.

  6. Subsidy overrun by srussia · · Score: 1

    ...and the check is in the mail!

    --
    Set your phasers on "funky"!
  7. Tesla insults hackers with bug bounty by Anonymous Coward · · Score: 2, Insightful

    $1000 for applying highly specialized skills? UP TO?

  8. Only a thousand bucks??? by Eloking · · Score: 2

    Granted it's a lot better than many other that prefer to sue your ass over discovering security flaw but, compared to some other bounty reward, isn't "up to" 1K$ a little low?

    --
    Elok
  9. Re:Bug bounties in general by Tontoman · · Score: 1

    This would be a great way for a young, gifted, educated network Security expert to break into the job market. The bug bounty is nice. But there would be more value in mentioning on a resume, and using a photograph of the check as proof of being an effective white-hat.

  10. Re:Bug bounties in general by sexconker · · Score: 1

    The extortion comes from being forced into either accepting the conditions of the bug bounty programs or going to federal pound-me-in-the-ass prison.

    The bug bounty programs are set up as a PR move. They encourage "responsible disclosure" and offer amounts of money that look large to the uninformed public, but are a joke compared to the effort required to find and report and follow up on the bugs, let alone the actual value to malevolent hackers.

    If a security researcher finds a significant bug affecting $BIG_CORP they have 3 options:

    Publish details publicly. The absolute quickest way to get it fixed. Also the quickest way to end up in jail on all sorts of trumped up and imagined charges.

    Sell it on the "black market". Profitable and, if done intelligently, legal. The second quickest way to get it fixed as it will be used by the people you sell it to.

    Engage in "responsible disclosure", contact the company, file the bug report according to their procedures, wait weeks or months for initial contact, wait for them to verify the bug or pretend it's not an issue, then wait for them to say it's fixed even though it isn't, then wait for your joke of a check (if they decide you met all the requirements of their bug bounty program).

  11. View source by lucm · · Score: 2

    Out of curiosity I went to their website and did a view-source. Apparently they use Drupal. So I'm going to add them to my "Uses drupal" bookmark folder for that time when the next Drupal security exploit comes out...

    Also for some reason they use jQuery 1.8. Isn't that version vulnerable to a known XSS exploit?

    --
    lucm, indeed.
  12. Get out your checkbook, Elon ... by PPH · · Score: 3, Funny

    ... my windshield is covered with bugs.

    --
    Have gnu, will travel.
  13. Re:Bug bounties in general by caferace · · Score: 1

    It took me about an hour to find a serious security bug in their website. As it turned out, it was a duplicate. It really wasn't rocket science with the tools available. What they *are* saying is "we won't hold you liable for trying to hack us". That's an incentive unto itself.