Fiat Chrysler has finally got around to offering a bounty on bugs found in its cars. But the scheme is unlikely to get any takers considering the pitiful amount of money on offer.
Last year car-hacking artistes Charlie Miller and Chris Valasek took remote control of the engine, brakes, and minor systems of such Fiat Chrysler motors as the Ram, Durango, and Jeep from miles away just using the vehicle's IP address and a flaw in its uConnect software.
The news caused the car firm to recall 1.4 million cars, cough up $105m in fines, and face a class-action lawsuit from drivers who were somewhat peeved at the possibility of having their rides hijacked and crashed for kicks by errant hackers.
So you'd have thought Chrysler would be willing to invest heavily in security, but there's little evidence of that in Wednesday's bug bounty announcement.
The biz is offering rewards ranging from $150 to $1,500 for details of serious flaws in its software systems. Given it banked $410m in profit in 2015, or $780 a minute, a top end payout represents two minutes of annual profit for Chrysler.
"Fiat Chrysler Automobiles values engaging third party researchers to improve our products making them safer and more reliable," the company said in a canned statement. "Our goal with the Bug Bounty project is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in FCA’s vehicles and connected services."
To put that in some perspective Facebook is offering up to $15,000 for a flaw in its software, Microsoft will pay $100,000 for serious bugs, and there's a standing offer from Google for the same amount to anyone who can break into its ChromeOS operating system and is considering raising that to $200,000 in an attempt to encourage more hacking attempts.
With some researchers pulling in $250,000 a year in bounties, the car manufacturer's offer of $150 isn't going to cut much ice. Charlie Miller was certainly unimpressed.
$1500 seems cheap to me, but at least its paid (looking at you GM). I think its the first company besides Tesla to do that.— Charlie Miller (@0xcharlie) July 13, 2016
...and no they didn't retroactively pay us for last year :)— Charlie Miller (@0xcharlie) July 13, 2016
Chrysler competitor Tesla offers $10,000 for serious flaws and provides a useful counterpoint to the Chrysler offer. Both firms had bad bugs discovered in their automotive software at around the same time last year, but handled it in completely different ways.
Miller told the press at the Black Hat 2015 convention that Chrysler knew about the software flaw months before the news came out about the security hole and did nothing, and it was only when he announced a talk on the subject was coming that the automaker did something. Miller told El Reg that if he hadn't gone public then he doubted it would have been fixed.
Tesla went the other route. After hackers found six flaws in its code the company increased its bounty payouts tenfold, gave the researchers $10,000 and a medal, had the company's CTO JB Straubel go on stage at the DEF CON 2015 event to apologize, and set up a stand to recruit security researchers to the company.
Chrysler may find a few researchers willing to submit bugs, but the paltry rewards aren't going to focus minds on the problem much. It's rather disturbing to see a company pay so dearly last year for its security screw-ups, turn around a whopping $539m in profit in first three months of 2016, and yet value the safety of its customers so cheaply. ®