Fiat Chrysler will pay you up to $1500 to hack vehicles

But don't even think about going public.

fiat-chrysler-bug-bounty-program-zdnet.jpg
FCA Group

Fiat Chrysler Automobiles (FCA) has revealed itself as the latest automaker to launch a bug bounty program to keep security vulnerabilities in connected cars at bay.

The vulnerability disclosure scheme focuses on Fiat Chrysler's connected vehicles, including systems and apps associated with running these services, such as Uconnect and ecoDrive.

The program, hosted on Bugcrowd, is offering researchers between $150 and $1,500 per vulnerability, depending on the severity of the issue.

"We have committed to formal recognition and compensation for discovery of reproducible and legitimate vulnerabilities, provided they are disclosed responsibly," the company says. "Our goal with the Bug Bounty project is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in FCA's vehicles and connected services."

The automaker asks that researchers provide full details of any vulnerabilities found, including proof-of-concept code or details. Uconnect iOS, Uconnect Android, ecoDrive on Android, and ecoDrive on the iPhone and iPad are all targets. In addition, the automaker is interested in security problems found within the driveconnect.eu and ecodrive.driveconnect.eu web domains.

FCA will reward researchers for problems such as remote code execution (RCE) flaws and cross-site scripting bugs on authenticated pages, but will not issue any rewards for security issues including clickjacking, error messages, vulnerabilities relating to Adobe Air infrastructure, public files and directories, or certificate strength problems.

In total, four bugs have been resolved and rewarded so far, but the details of each security issue remain private.

Security researchers interested in this project need to take note of the small print, however. Fiat Chrysler does not allow the disclosure of issues to the public and says the company will not take legal action against contributors as long as they do not access, modify, or retain data accessed during testing.

In addition, researchers must "make a good faith effort" to avoid violating privacy, destroying data, and interrupting services.

The move follows the remote control and hack of Fiat Chrysler's Jeep Cherokee, leading to the rather expensive recall of over 1.4 million vehicles for security patch updates.