Tesla modifies product policy to accommodate "good-faith" security research

Tesla promises to reset car firmware and software damaged during security research. Also promises not to go after "good-faith" researchers in court.
Written by Catalin Cimpanu, Contributor

Electric car maker Tesla Motors has modified its product security guidelines this week to accommodate the work of security researchers.

Tesla says it will allow security researchers to register themselves with the company as a "good-faith security researcher" and their Tesla cars as "research-registered vehicles."

The company says it will provide assistance, over-the-air updates, and firmware reflashes to "research-registered vehicles" that had their software/firmware damaged during research.

Until today, the company's reps usually voided the warranty of Tesla cars where owners --security researchers included-- tampered with the software/firmware.

Tesla also granted a legal safe harbor to researchers who perform security research under the terms of its bug bounty program, promising not to go after researchers in courts, similar to how other car makers have chosen to deal with security issues in the past.

Security research has often been snuffed in courts under criminal charges (when researchers accessed servers without authorization) under the Computer Fraud and Abuse Act ("CFAA"), or copyright infringement (when researchers reverse engineered proprietary code) under the Digital Millennium Copyright Act ("DMCA").

See also: Security firm Keeper sues news reporter over vulnerability story

Tesla promised not to pursue any of these avenues if researchers follow the security research rules the company has listed on its site and official Bugcrowd bug bounty page.

The car maker's announcement was greeted with joy by the security research community, whose members have often been dragged in courts for the simplest acts of reporting vulnerabilities.

Before Tesla, Dropbox announced a similar pro-security-research policy this March.

Editorial standards