General Motors bug bounty program: Be careful, or court

Will GM's bug bounty program prove to be a success without a financial incentive -- and the stringent demands placed to stop researchers being sued? [UPDATED]

General Motors has launched a bug bounty program, but the rules could put off researchers before it begins.

The Detroit, Michigan-based firm has now joined rival Tesla in asking researchers to submit flaws and bugs discovered within the firm's Web domains. However, while Tesla offers up to $10,000 per flaw, GM's bug bounty program, hosted by HackerOne, asks researchers to submit GM.com bugs -- but no more information is given in relation to credit or reward.

The automotive firm, perhaps unwisely, spends far more time explaining the cases in which GM will not take researchers to court -- such as not causing harm, compromising services, violating criminal law and not being resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea, the embargoed nations of the United States.

GM also promises not to take researchers to court if they "provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery," and "publicly disclose vulnerability details only after GM confirms completed remediation of the vulnerability and not publicly disclose vulnerability details if there is no completion date or completion cannot be ascertained."

This is highly unlikely to entice researchers to submit flaws, as the rules tie down those who enter the bug bounty program, but there are no stipulations for the automaker itself for reasonable timeframes in which to accept and fix bugs, let alone when public disclosure would be acceptable.

As cybersecurity expert Charlie Miller noted on Twitter:

screen-shot-2016-01-12-at-13-03-15.png

Those on the US Treasury Department's Specially Designated Nationals List are also barred from participating.

It's worth noting the program is only a week old, and so if there is enough pressure to change these policies -- or a lack of attention by security researchers which speaks volumes in itself -- rewards of a financial nature or changes in terms may eventually be offered.

While this is a step in the right direction, automakers should consider researchers as allies, not enemies -- and make sure their bug bounty programs reflect this. As new vehicles now often contain infotainment systems, Internet access and networked devices, Web domain security is not enough.

Automakers must also enlist the help of external eyes to fix problems before they can impact on the health and safety of customers.

In May last year, United Airlines took a different approach by launching a bug bounty program which rewarded researchers in another manner -- through free air miles. Almost immediately, one researcher scooped up one million air miles for reporting a severe remote code execution (RCE) flaw.

However, the US airline then disappointed many by taking six months and the threat of public exposure to patch another severe flaw which exposed the personal data of Rewards members.

A GM spokesperson told ZDNet:

"GM takes cybersecurity very seriously, has devoted substantial resources to address it, and continues to do so. We also value the work of third party researchers, and want to hear directly from anyone who finds a security vulnerability in one of our products or services."

Read on: Top picks