Slashdot Mirror

← Back to Stories (view on slashdot.org)

GM's New Bug Bounty Program Lacks One Thing: A Bounty (securityledger.com)

Posted by timothy on from the only-the-joy-of-being-alive dept.

chicksdaddy writes with this news: General Motors (GM) has become the latest "old economy" firm to launch a program to entice white hat hackers and other experts to delve into the inner workings of its products in search of security flaws, The Security Ledger reports. "The company launched a bug bounty on January 5th on the web site of Hackerone (https://hackerone.com/gm), a firm that manages bounty programs on top of other firms, promising "eternal glory" to security experts who relay information on "security vulnerabilities of General Motors products and services." Despite a $47 billion market capitalization, however, GM is not offering monetary rewards – at least not yet. A page on Hackerone detailing how vulnerability reporters will be thanked reads "Be the first to receive eternal glory," but does not spell out exactly what rewards are proffered. Judging from the description of the program, the "prize" for reporting a vulnerability to GM appears to be a promise by GM not to sue you for finding it." However, the article notes that the program has garnered praise from security researchers Chris Valasek and Charlie Miller, monetary reward or not.

47 comments

  1. With the way GM has worked in the past... by QuietLagoon · · Score: 1

    ... the bounty may be a lawsuit against the bug finder for breaking the DMCA.

    1. Re:With the way GM has worked in the past... by Opportunist · · Score: 2

      So... the sensible thing is to sell the bug to the highest bidder so you can not only afford being sued but also enjoy what's left of the money after the lawsuit.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:With the way GM has worked in the past... by Anonymous Coward · · Score: 0

      So....

      Find a bug in our product, we'll put a bounty on your head.

    3. Re:With the way GM has worked in the past... by Anonymous Coward · · Score: 0

      The wording isn't native English, so make sure to sell it before their outsourcer does.

    4. Re:With the way GM has worked in the past... by Anonymous Coward · · Score: 1

      ... the bounty may be a lawsuit against the bug finder for breaking the DMCA.

      Good for them. It's good to know that they're following the law to ensure they will receive fucking nothing from this "program" of theirs, which is equivalent to what they're offering to pay.

      Hello Corporate Whores. Perhaps one day you'll wake up and realize people don't work for free any more than you fuckers would.

  2. ad what bounty by Anonymous Coward · · Score: 0

    Report the bug and they promise (is it in writing?) not to sue you, or sell it on the black market for oodle of cash. Tough call there.

  3. You get the update for free* on your car by Joe_Dragon · · Score: 2

    You get the update for free* on your car

    * some dealers may still change labor / tool usage fees for there computer that is needed to install new GM software.

    Or how about 1 year free XM?

    1. Re:You get the update for free* on your car by Opportunist · · Score: 2

      Or you could sell the bug and easily afford paying for the updates.

      Or you could buy a sensible car in the first place instead.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:You get the update for free* on your car by germansausage · · Score: 1

      * some dealers may still change labor / tool usage fees - Don't forget "Shop Supplies"

  4. Probably a message of to their own IT staff by ffkom · · Score: 5, Insightful
    They probably considered the consequences of a "bug bounty program" and realized that it creates an incentive to write bugs into the software, having a friend "find them" and cash in, later. Now add to this the general distrust typical large corporations have in their own employees, so they probably figured their best bet is a "bug bounty program" without an actual bounty.

    They might not have considered, though, that people able to find such bugs are not as stupid as they think - there are plenty of companies buying "zero day exploits" for cash.

    1. Re:Probably a message of to their own IT staff by turbidostato · · Score: 1

      "They probably considered the consequences of a "bug bounty program" and realized that it creates an incentive to write bugs into the software, having a friend "find them" and cash in"

      Of course yes, because who wouldn't risk a six figures salary for a three figures bounty.

    2. Re:Probably a message of to their own IT staff by sumdumass · · Score: 2

      Some people are irrational with their greed and overly confident with their intelligence.

      Usually they become lawyers or politicians or investment bankers but I suppose a few low end software developers could be the same. It's not like people haven't thrown away good careers or their families for gambling or drug usage and so on. It's not uncommon to see people who are married for 20+ years throw it all away at retirement age because they took a chance on cheating and now have to divide up a life time of assets, retirement funds and so on and end up with slaving at a job in their golden years.

    3. Re: Probably a message of to their own IT staff by Anonymous Coward · · Score: 0

      Hi feminist fag. The fact is that women divorce at will so how about you go to hell. Also traditionally women didn't have a case for divorce if the man screwed other females, only the man had a case against the woman.

    4. Re: Probably a message of to their own IT staff by sumdumass · · Score: 1

      Hi complete and total idiot.

      I don't care about women or men in the context of my statement. Actually, i didn't even bother denoting any sex in my statement because i do not think this behavior is limited to any one sex.

      So why don't you roll of your sister long enough to get a clue and understand what you are replying to.

  5. GM: "find our bugs... by ooloorie · · Score: 1

    ... then get sued!"

  6. dilbert by Joe_Dragon · · Score: 1

    http://dilbert.com/strip/1995-...

  7. Meh by liqu1d · · Score: 4, Insightful

    I'll just sell it elsewhere then...

  8. doesn't matter by phantomfive · · Score: 1

    Despite a $47 billion market capitalization, however, GM is not offering monetary rewards

    Market capitalization doesn't matter. They could have a market capitalization like that, and still be losing money every quarter.
    In fact, net income for GM was $3.9billion, which is a more relevant number.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:doesn't matter by sumdumass · · Score: 2

      NAh.. The only thing that matters to some people is the gross sales figure which means they are rich and can afford it. Anything like costs or labor or raw material stock and so on are accounting tricks to avoid paying their fair share in taxes.

      Please stop polluting this discussion with facts and reality.

    2. Re:doesn't matter by Anonymous Coward · · Score: 0

      Using gross sales would be more accurate than market capitalization. Remember, market capitalization is just the number of outstanding shares * current stock market price. It's possibly the worst way to tell what a company is worth.

  9. Can I sue them for damages? by aralin · · Score: 0, Troll

    What is my glory is not eternal and wanes after a while? Can I see them for damages? Maybe we could turn it into a class action and get awarded the monetary bounty in that way.

    --
    If programs would be read like poetry, most programmers would be Vogons.
  10. "Eternal glory"? by Anonymous Coward · · Score: 0

    Find a bug, and you shall ride eternal, shiny and chrome, to Valhalla!

  11. IMO, this should be a minimum standard.... by King_TJ · · Score: 2

    I would think *all* companies selling products containing software that could create problems for users if hacked should have a MINIMUM of a "bug bounty" program that credits people for bugs found and ensures they won't get in any legal trouble for the discovery process or for revealing it.

    Paying money for bugs found is good incentive to get more people involved in the process, but I'd leave that the the discretion of the company to do.

    In a way though, they already pay for this anyway. Isn't that a fundamental task of QA staff? These programs just expand testing and reporting to include anyone interested, instead of just hired employees.

    1. Re:IMO, this should be a minimum standard.... by Anonymous Coward · · Score: 0

      QA staff usually does not know how to look for security problems. They do not know which tools are good at spotting those problems and how to use it. They do not know relevant bugs classes to look for and have no time scheduled for this kind of thing. While vulnerabilities are technically bugs, if you want to find them effectively, you need to pay who studied security.

  12. Coming into focus now by Dereck1701 · · Score: 4, Insightful

    "publicly disclose vulnerability details only after GM confirms completed remedication of the vulnerability."

    Ah, I think I see a significant portion of their objective here. Create a bug reporting system, leashed with a NDA so that you don't get to talk about the bug without their OK (which probably means never). And if anyone publicly discloses a bug without going through their little song and dance they claim "we have a bug reporting system that they should have used, their failure to go through "proper channels" is prima facie evidence they were acting improperly" when they sue. Haven't there been similar situations in the past, I believe I recall some security researchers finding a serious bug in some software and reporting it to the company, year(s) later it still wasn't fixed so they went public. A patch was released within a couple months, with the company screaming that the security researchers acted improperly by going public before they "were ready".

    1. Re: Coming into focus now by Anonymous Coward · · Score: 0

      So the government standard for whistleblowers naive enough to repirt internally to their immediate retaliation system?

  13. Purpose of a bug bounty by the_brobdingnagian · · Score: 1

    In my experience the most valuable thing you get from implementing a bug bounty is: 1) Creating a procedure for responding properly to external incidents. (Can be really hard with complex supply chains!) 2) Motivating external people who are already doing the research to tell you about it. 3) After slowly cranking up the rewards, you might motivate people to start researching specifically to find bugs in your products. It's not always a good idea to start aiming for 3 if you don't have 1 yet.

  14. they are used to deaths in their products by Anonymous Coward · · Score: 0

    GM is going to have the first death in a electric vehicle on its hands.

    Then they will blame us.

  15. Underground still sounds better... by watermark · · Score: 1

    Selling anonymously to the highest bidder sounds best. More money and less chance of being sued.

  16. Things you should know about GM. by Futurepower(R) · · Score: 1

    GM went bankrupt in 2009 Why? Apparently because GM was deliberately selling cars with poor reliability so it could make more money selling new cars, and so GM dealers could make more money fixing GM cars.

    Here are a few examples: The Ten Worst Cars GM Ever Built.

    Apparently, nothing has changed. 2014 General Motors ignition switch scandal.

    GM is moving away from being a U.S. company: G.M. Will Import Buicks Made in China to the U.S.

    1. Re:Things you should know about GM. by drinkypoo · · Score: 1

      My lady has a 2000 Astro. It still runs flawlessly, trans works perfectly, and with upgraded shocks and tires and a posi-trac upgrade it has hilariously good handling. (The rear axle is from the S10, but the front suspension is derived from the Caprice.) Sadly, we are going to have to get rid of it because GM discontinued the rear door seals, and they are not just extruded weatherstrip but complex formed gaskets. The door handles are wearing out and GM wants $1100 for a full set. Leave the key in the ignition overnight and kill the battery due to the key detection circuit being designed in crayon. GM can't die in a fire fast enough.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  17. Let's see....... by JustAnotherOldGuy · · Score: 1

    Let's see, I work hard, find a bug, save you millions in legal fees.....and my reward is that you promise not to sue me?

    Wow, that's like really enticing, where do I sign?

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Let's see....... by Anonymous Coward · · Score: 0

      Let's see, I work hard, find a bug, save you millions in legal fees.....and my reward is that you promise not to sue me?

      Wow, that's like really enticing, where do I sign?

      On your bail agreement.

  18. You get what you pay for by Anonymous Coward · · Score: 0

    Hey cheap fuckers who make billions, don't expect people to pay for your cheapness. Isn't this like taking out an ad to take somebody ransom?

    1. Re:You get what you pay for by Anonymous Coward · · Score: 0

      GM doesn't make billions. The shareholders of GM collectively made about $1.4 billion last year, or 84 cents per share.

      You'd have to own a shitload of shares of GM for that to amount to a hill of beans, and even then it's just paper wealth. The moment you tried to sell your significant ownership interest in that profit, the value would drop precipitously.

      I really wish the Bolivarian socialist hipster crowd understood even a tiny bit how finance and economics worked. Then again, were that to happen, there wouldn't be any Bolivarian socialists.

  19. Wow! Will this take my hand off or not? by Anonymous Coward · · Score: 0

    Let's look at this empirically:
    If I "hack" into an obscure GM kludge (and we all know those are there) I run the risk of:
    GM taking action against me as a "hacker" on their product
    The Feds taking action against me as a "hacker" on an "encrypted" product (and what company can't claim some f'd-up level of encryption)
    World + dog taking some form of action against me for being a "hacker" against a brand that once successfully claimed "what is good for GM is good for America".

    Yeah. No. I think I will leave that one to the black hats.

    Good luck with your Chevy, folks.

  20. Capitalism at its best by Anonymous Coward · · Score: 0

    the program has garnered praise from security researchers Chris Valasek and Charlie Miller, monetary reward or not.

    It's cheaper to buy the conscience of two people rather than the work of two hundreds. What works for Congress...

  21. Market Capitalization != Money by Anonymous Coward · · Score: 0

    Market Capitalization is not the same thing as money. Having a Market Cap of 47 Billion doesn't mean GM has 47 billion in cash sitting around.

    1. Re: Market Capitalization != Money by Anonymous Coward · · Score: 0

      Feminist tech fags don't know the diff

  22. Chevy Astro door handles: $12.55, free shipping by Futurepower(R) · · Score: 1

    "GM discontinued the rear door seals"

    Can you make your own seals with silicon rubber?

    "The door handles are wearing out and GM wants $1100 for a full set."

    Toyota dealers near where we live are VERY aggressive. We needed a new window motor, found one online, and installed it ourselves. The motor cost $53, seems very high quality, and works perfectly.

    "GM can't die ... fast enough." I'm guessing that's what is happening. GM is dying.

    Here are Chevy Astro door handles: $12.55 with free shipping.

    1. Re:Chevy Astro door handles: $12.55, free shipping by drinkypoo · · Score: 1

      Can you make your own seals with silicon rubber?

      Oh man, if you had ever done this, you would not be asking. It's the size of the whole door. Can you even imagine building a mold that big which can be vacuum degassed? Because just pouring that much silicone will fill it with air.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  23. I'm not suggesting using a mold. by Futurepower(R) · · Score: 1

    I'm not suggesting using a mold. I'm suggesting repairing the current seals with silicon rubber by putting silicon rubber everywhere it is needed.

    1. Re:I'm not suggesting using a mold. by Hognoxious · · Score: 1

      Like you'd do around a bath?

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:I'm not suggesting using a mold. by drinkypoo · · Score: 1

      I'm not suggesting using a mold. I'm suggesting repairing the current seals with silicon rubber by putting silicon rubber everywhere it is needed.

      First of all, it's silicone, not silicon. Second of all, I have way more experience with silicone than I ever wanted, and anyone who uses silicone caulk to make an automotive repair is a starry-eyed fool at best. It will eventually fail, and when it does, it will cause you serious problems. Most silicone (or in fact most anything else) won't cure to most silicone, so you have to get it really and truly removed before you can re-apply anything, including the same thing.

      What I've done as a stopgap, and this works for a little while, is to use shoe goo on the top strip (you can also use goop) and then add thick foam weatherseal tape to the various sealing surfaces. If you don't open the doors, this can last for a whole season. But I think there's a vehicle from a more reputable manufacturer in our future. Of all the vehicles I've owned, the best long-term parts availability has been with Nissan and Mercedes. The Nissan van is kind of a dog's breakfast...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  24. Is Goop better than Shoe Goo? by Futurepower(R) · · Score: 1

    Yes, I didn't think clearly about that. Silicone rubber has problems with adherence.

    I agree with the idea of using black Shoe Goo. I'm surprised your methods don't last longer. Problem: Shoe Goo emits a poisonous chemical for more than a month.

    Is Goop any better?

    You didn't say anything about the $14 door handles I found.

    Is long-term parts availability a serious issue? Aren't there many, many people selling parts from old cars online?

    1. Re:Is Goop better than Shoe Goo? by drinkypoo · · Score: 1

      I agree with the idea of using black Shoe Goo. I'm surprised your methods don't last longer. Problem: Shoe Goo emits a poisonous chemical for more than a month.

      That's okay, the seal to which I applied it is the one on the very top that isn't actually inside the vehicle. I didn't use it on the door seals.

      Is Goop any better?

      Yeah, it cures faster. More like 48 hours, maybe longer in this weather. Used it on the trunk seal of my Mercedes. Worked like a charm.

      Is long-term parts availability a serious issue? Aren't there many, many people selling parts from old cars online?

      Parts like formed door gaskets are typically dealer-only parts. Like I said, if I want such a part for my 1982 Mercedes, I just buy it. The originally supplier still makes it, and I can get it direct now since it's more than 15 years old or so, so I can even get parts cheap on eBay. But if I want rear door seals for the Astro, two out of three of them have been discontinued. Thanks, GM!

      As an aside, GM is just fucking incompetent to begin with. If they had put proper shocks and tires on the Astro from the beginning, they'd have sold twice as many of them. On the stock equipment, the van wallows, it's pathetic.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"