Following the news about the Fiat Chrysler offering a bug bounty program. Art Dahnert, Consultant at Cigital commented below on this bounty program.
Art Dahnert, Consultant at Cigital:
“I’ve looked at the BugCrowd profile for the FCA bug bounty and it looks like they are just dipping their toe in the water. They are specifically staying away from the automotive platforms, meaning the cars themselves. The domains in scope are ancillary integration services for some of the vehicle components. They gave a well-defined list of what types of vulnerabilities are important, which helps with keeping the “signal to noise” ratio low.
The Bug Bounty is a good first step and I’m hopeful they are able to find value in it. This should be part of a more holistic plan that involves design analysis and threat models as well as internal security assessments. The earlier in the product cycle a vulnerability is found the easier and cheaper it is to fix.”