Slashdot Mirror
GM's New Bug Bounty Program Lacks One Thing: A Bounty (securityledger.com)
chicksdaddy writes with this news: General Motors (GM) has become the latest "old economy" firm to launch a program to entice white hat hackers and other experts to delve into the inner workings of its products in search of security flaws, The Security Ledger reports. "The company launched a bug bounty on January 5th on the web site of Hackerone (https://hackerone.com/gm), a firm that manages bounty programs on top of other firms, promising "eternal glory" to security experts who relay information on "security vulnerabilities of General Motors products and services." Despite a $47 billion market capitalization, however, GM is not offering monetary rewards – at least not yet. A page on Hackerone detailing how vulnerability reporters will be thanked reads "Be the first to receive eternal glory," but does not spell out exactly what rewards are proffered. Judging from the description of the program, the "prize" for reporting a vulnerability to GM appears to be a promise by GM not to sue you for finding it." However, the article notes that the program has garnered praise from security researchers Chris Valasek and Charlie Miller, monetary reward or not.
... the bounty may be a lawsuit against the bug finder for breaking the DMCA.
You get the update for free* on your car
* some dealers may still change labor / tool usage fees for there computer that is needed to install new GM software.
Or how about 1 year free XM?
They might not have considered, though, that people able to find such bugs are not as stupid as they think - there are plenty of companies buying "zero day exploits" for cash.
... then get sued!"
http://dilbert.com/strip/1995-...
I'll just sell it elsewhere then...
Despite a $47 billion market capitalization, however, GM is not offering monetary rewards
Market capitalization doesn't matter. They could have a market capitalization like that, and still be losing money every quarter.
In fact, net income for GM was $3.9billion, which is a more relevant number.
"First they came for the slanderers and i said nothing."
I would think *all* companies selling products containing software that could create problems for users if hacked should have a MINIMUM of a "bug bounty" program that credits people for bugs found and ensures they won't get in any legal trouble for the discovery process or for revealing it.
Paying money for bugs found is good incentive to get more people involved in the process, but I'd leave that the the discretion of the company to do.
In a way though, they already pay for this anyway. Isn't that a fundamental task of QA staff? These programs just expand testing and reporting to include anyone interested, instead of just hired employees.
"publicly disclose vulnerability details only after GM confirms completed remedication of the vulnerability."
Ah, I think I see a significant portion of their objective here. Create a bug reporting system, leashed with a NDA so that you don't get to talk about the bug without their OK (which probably means never). And if anyone publicly discloses a bug without going through their little song and dance they claim "we have a bug reporting system that they should have used, their failure to go through "proper channels" is prima facie evidence they were acting improperly" when they sue. Haven't there been similar situations in the past, I believe I recall some security researchers finding a serious bug in some software and reporting it to the company, year(s) later it still wasn't fixed so they went public. A patch was released within a couple months, with the company screaming that the security researchers acted improperly by going public before they "were ready".
In my experience the most valuable thing you get from implementing a bug bounty is: 1) Creating a procedure for responding properly to external incidents. (Can be really hard with complex supply chains!) 2) Motivating external people who are already doing the research to tell you about it. 3) After slowly cranking up the rewards, you might motivate people to start researching specifically to find bugs in your products. It's not always a good idea to start aiming for 3 if you don't have 1 yet.
Selling anonymously to the highest bidder sounds best. More money and less chance of being sued.
GM went bankrupt in 2009 Why? Apparently because GM was deliberately selling cars with poor reliability so it could make more money selling new cars, and so GM dealers could make more money fixing GM cars.
Here are a few examples: The Ten Worst Cars GM Ever Built.
Apparently, nothing has changed. 2014 General Motors ignition switch scandal.
GM is moving away from being a U.S. company: G.M. Will Import Buicks Made in China to the U.S.
Let's see, I work hard, find a bug, save you millions in legal fees.....and my reward is that you promise not to sue me?
Wow, that's like really enticing, where do I sign?
Just cruising through this digital world at 33 1/3 rpm...
"GM discontinued the rear door seals"
... fast enough." I'm guessing that's what is happening. GM is dying.
Can you make your own seals with silicon rubber?
"The door handles are wearing out and GM wants $1100 for a full set."
Toyota dealers near where we live are VERY aggressive. We needed a new window motor, found one online, and installed it ourselves. The motor cost $53, seems very high quality, and works perfectly.
"GM can't die
Here are Chevy Astro door handles: $12.55 with free shipping.
I'm not suggesting using a mold. I'm suggesting repairing the current seals with silicon rubber by putting silicon rubber everywhere it is needed.
Yes, I didn't think clearly about that. Silicone rubber has problems with adherence.
I agree with the idea of using black Shoe Goo. I'm surprised your methods don't last longer. Problem: Shoe Goo emits a poisonous chemical for more than a month.
Is Goop any better?
You didn't say anything about the $14 door handles I found.
Is long-term parts availability a serious issue? Aren't there many, many people selling parts from old cars online?