Slashdot Mirror

← Back to Stories (view on slashdot.org)

GM's New Bug Bounty Program Lacks One Thing: A Bounty (securityledger.com)

Posted by timothy on from the only-the-joy-of-being-alive dept.

chicksdaddy writes with this news: General Motors (GM) has become the latest "old economy" firm to launch a program to entice white hat hackers and other experts to delve into the inner workings of its products in search of security flaws, The Security Ledger reports. "The company launched a bug bounty on January 5th on the web site of Hackerone (https://hackerone.com/gm), a firm that manages bounty programs on top of other firms, promising "eternal glory" to security experts who relay information on "security vulnerabilities of General Motors products and services." Despite a $47 billion market capitalization, however, GM is not offering monetary rewards – at least not yet. A page on Hackerone detailing how vulnerability reporters will be thanked reads "Be the first to receive eternal glory," but does not spell out exactly what rewards are proffered. Judging from the description of the program, the "prize" for reporting a vulnerability to GM appears to be a promise by GM not to sue you for finding it." However, the article notes that the program has garnered praise from security researchers Chris Valasek and Charlie Miller, monetary reward or not.

3 of 47 comments (clear)

  1. Probably a message of to their own IT staff by ffkom · · Score: 5, Insightful
    They probably considered the consequences of a "bug bounty program" and realized that it creates an incentive to write bugs into the software, having a friend "find them" and cash in, later. Now add to this the general distrust typical large corporations have in their own employees, so they probably figured their best bet is a "bug bounty program" without an actual bounty.

    They might not have considered, though, that people able to find such bugs are not as stupid as they think - there are plenty of companies buying "zero day exploits" for cash.

  2. Meh by liqu1d · · Score: 4, Insightful

    I'll just sell it elsewhere then...

  3. Coming into focus now by Dereck1701 · · Score: 4, Insightful

    "publicly disclose vulnerability details only after GM confirms completed remedication of the vulnerability."

    Ah, I think I see a significant portion of their objective here. Create a bug reporting system, leashed with a NDA so that you don't get to talk about the bug without their OK (which probably means never). And if anyone publicly discloses a bug without going through their little song and dance they claim "we have a bug reporting system that they should have used, their failure to go through "proper channels" is prima facie evidence they were acting improperly" when they sue. Haven't there been similar situations in the past, I believe I recall some security researchers finding a serious bug in some software and reporting it to the company, year(s) later it still wasn't fixed so they went public. A patch was released within a couple months, with the company screaming that the security researchers acted improperly by going public before they "were ready".