Tesla will allow vetted security researchers to hunt for vulnerabilities in its vehicle firmware risk free – as long as it is done under its now-tweaked bug bounty program.
The luxury electric automaker said this week it will reflash the firmware on cars that have been bricked by infosec bods probing for exploitable bugs in its code, provided they have suitably enrolled in the Elon Musk-run biz's updated bounty program. And any sanctioned searching can be carried out with worrying about being sued by Tesla's legal eagles.
“If, through your good-faith security research, you (a pre-approved, good-faith security researcher) cause a software issue that requires your research-registered vehicle to be updated or ‘reflashed,’ as an act of goodwill, Tesla shall make reasonable efforts to update or ‘reflash’ Tesla software on the research-registered vehicle by over-the-air update, offering assistance at a service center to restore the vehicle's software using our standard service tools, or other actions we deem appropriate,” Tesla’s updated security policy now reads.
“Tesla has complete discretion as to the software or other assistance that will be provided and it may be only for a limited number of times. Tesla's support does not extend to any out-of-pocket expenses (e.g. towing) incurred by you.“
Tesla also said that research done through its bug bounty program will not be subject to any legal reprisal, either through criminal complaints (via the US Computer Fraud and Abuse Act) or copyright assertions (the US Digital Millennium Copyright Act). Warranties will also remain valid for those who enroll as security researchers.
“Tesla will not consider software changes, as a result of good-faith security research performed by a good-faith security researcher, to a security-registered vehicle to void the vehicle warranty of the security-registered vehicle, notwithstanding that any damage to the car resulting from any software modifications will not be covered by Tesla under the vehicle warranty,” the policy reads.
The announcement will put to rest fears from security bods that Tesla would wield the DMCA and the CFAA laws as weapons against anyone who hacked its products for research. Without the fear of legal reprisal, infosec types will now be free to pop open Tesla firmware to hunt for bugs and claim rewards.
Among those applauding the carmaker was Bugcrowd founder Casey Ellis, whose startup oversees payouts made through Tesla's bug bounty program.
this is a massive step forward in taking the risk out of #vulnerabilitydisclosure and #bugbounty by @tesla, and maximizing the benefit of a safer internet... i sincerely hope this becomes the status quo.— caseyjohnellis (@caseyjohnellis) September 5, 2018
massive props to all involved!!! #securityresearchisnotacrime https://t.co/1aULl9dNBw
Ellis told The Register that while Tesla had previously had a good relationship with researchers, putting everything down into a concrete policy will help to bring more researchers into the fold.
"The problem they're addressing with safe-harbor is the overall reservation in the hacker community to engage to help because of the anti-hacking laws which exist," Ellis explained. "They're also signaling the importance of bilateral safe-harbor to other companies which are running similar programs."
This doesn’t however, mean that just anyone can screw up their Tesla and get a free reflash from the company. To be protected by the security policy, owners will need to register both themselves and their cars as part of the bug research program. Researchers will also be subject to guidelines for responsible disclosure, including not accessing other people’s data, giving Tesla a reasonable time frame to patch the discovered flaw, and not exposing their hacked cars to any unsafe conditions.
Those who want to be enrolled in the research program will need to contact Tesla directly to be vetted. ®