Slashdot Mirror

← Back to Stories (view on slashdot.org)

GM's New Bug Bounty Program Lacks One Thing: A Bounty (securityledger.com)

Posted by timothy on from the only-the-joy-of-being-alive dept.

chicksdaddy writes with this news: General Motors (GM) has become the latest "old economy" firm to launch a program to entice white hat hackers and other experts to delve into the inner workings of its products in search of security flaws, The Security Ledger reports. "The company launched a bug bounty on January 5th on the web site of Hackerone (https://hackerone.com/gm), a firm that manages bounty programs on top of other firms, promising "eternal glory" to security experts who relay information on "security vulnerabilities of General Motors products and services." Despite a $47 billion market capitalization, however, GM is not offering monetary rewards – at least not yet. A page on Hackerone detailing how vulnerability reporters will be thanked reads "Be the first to receive eternal glory," but does not spell out exactly what rewards are proffered. Judging from the description of the program, the "prize" for reporting a vulnerability to GM appears to be a promise by GM not to sue you for finding it." However, the article notes that the program has garnered praise from security researchers Chris Valasek and Charlie Miller, monetary reward or not.

9 of 47 comments (clear)

  1. You get the update for free* on your car by Joe_Dragon · · Score: 2

    You get the update for free* on your car

    * some dealers may still change labor / tool usage fees for there computer that is needed to install new GM software.

    Or how about 1 year free XM?

    1. Re:You get the update for free* on your car by Opportunist · · Score: 2

      Or you could sell the bug and easily afford paying for the updates.

      Or you could buy a sensible car in the first place instead.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Probably a message of to their own IT staff by ffkom · · Score: 5, Insightful
    They probably considered the consequences of a "bug bounty program" and realized that it creates an incentive to write bugs into the software, having a friend "find them" and cash in, later. Now add to this the general distrust typical large corporations have in their own employees, so they probably figured their best bet is a "bug bounty program" without an actual bounty.

    They might not have considered, though, that people able to find such bugs are not as stupid as they think - there are plenty of companies buying "zero day exploits" for cash.

    1. Re:Probably a message of to their own IT staff by sumdumass · · Score: 2

      Some people are irrational with their greed and overly confident with their intelligence.

      Usually they become lawyers or politicians or investment bankers but I suppose a few low end software developers could be the same. It's not like people haven't thrown away good careers or their families for gambling or drug usage and so on. It's not uncommon to see people who are married for 20+ years throw it all away at retirement age because they took a chance on cheating and now have to divide up a life time of assets, retirement funds and so on and end up with slaving at a job in their golden years.

  3. Re:With the way GM has worked in the past... by Opportunist · · Score: 2

    So... the sensible thing is to sell the bug to the highest bidder so you can not only afford being sued but also enjoy what's left of the money after the lawsuit.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Meh by liqu1d · · Score: 4, Insightful

    I'll just sell it elsewhere then...

  5. Re:doesn't matter by sumdumass · · Score: 2

    NAh.. The only thing that matters to some people is the gross sales figure which means they are rich and can afford it. Anything like costs or labor or raw material stock and so on are accounting tricks to avoid paying their fair share in taxes.

    Please stop polluting this discussion with facts and reality.

  6. IMO, this should be a minimum standard.... by King_TJ · · Score: 2

    I would think *all* companies selling products containing software that could create problems for users if hacked should have a MINIMUM of a "bug bounty" program that credits people for bugs found and ensures they won't get in any legal trouble for the discovery process or for revealing it.

    Paying money for bugs found is good incentive to get more people involved in the process, but I'd leave that the the discretion of the company to do.

    In a way though, they already pay for this anyway. Isn't that a fundamental task of QA staff? These programs just expand testing and reporting to include anyone interested, instead of just hired employees.

  7. Coming into focus now by Dereck1701 · · Score: 4, Insightful

    "publicly disclose vulnerability details only after GM confirms completed remedication of the vulnerability."

    Ah, I think I see a significant portion of their objective here. Create a bug reporting system, leashed with a NDA so that you don't get to talk about the bug without their OK (which probably means never). And if anyone publicly discloses a bug without going through their little song and dance they claim "we have a bug reporting system that they should have used, their failure to go through "proper channels" is prima facie evidence they were acting improperly" when they sue. Haven't there been similar situations in the past, I believe I recall some security researchers finding a serious bug in some software and reporting it to the company, year(s) later it still wasn't fixed so they went public. A patch was released within a couple months, with the company screaming that the security researchers acted improperly by going public before they "were ready".