Tesla has gone official with a bug bounty programme for its website on the Bugcrowd platform, offering anything between $25 and $1,000 for each vulnerability, though it won't be doing anything similar for it's vehicles just yet.
That $1,000 pretty low in comparison to the likes of Facebook and Google, who have handed out prizes as high as $33,000 and $22,000, but Tesla doesn't have anything like the same web footprint as those two web giants.
Elon Musk's electric car maker has been congratulated by the security community for its willingness to work with the benevolent hackers. It set up its own, somewhat disorganised bug bounty program with a Hall of Fame, but it now wants a more formal process in place.
"We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process," the blurb on Bugcrowd read.
Contributors can only report on tesla.com and must give Tesla "a reasonable time to correct the issue before making any information public". There's also a long list of what kinds of issues can't be reported as well as smaller one for what can.
Anyone who believes they have found a problem in a Tesla vehicle should email vulnerability@teslamotors.com, rather than going to Bugcrowd, according to the firm. But there remains little information on how Tesla rewards anyone who finds a bug in its cars or other products, such as its recently-announced super-battery, or if they're rewarded at all.
Tesla has been informed about issues in its cars and subsequently fixed them without any notice on its site to credit researchers, one of which was on public record and disclosed by Chinese giant Qihoo 360, and others that FORBES has learned from sources in the research community. In none of those cases were the researchers rewarded, FORBES understands, though Qihoo was handed $10,000 for winning a non-official competition to hack a Tesla.
A bug bounty for car vulnerabilities would be a major step for Tesla and for the car industry in general, though they may fear providing big incentives for people to break the security of their cars, even if it would benefit them and their drivers. Major market players have been keen to keep schtum about digital security issues, even though researchers have been highlighting flaws in cars repeatedly over the last year.
Most manufacturers apart from Tesla have been fighting anyone who wants to tinker with their car. Led by the Auto Alliance and General Motors, car makers have sought to maintain their right to make legal threats against anyone who tinkers with the code in their own vehicles, fighting proposed exemptions in the Digital Millennium Copyright Act.
Ted Harrington, executive partner at Independent Security Evaluators, believes manufacturers should be taking more measures to protect people's lives. "When it comes to security research, the stakes are the highest when human lives are involved. Securing the connected car is about more than just protecting data; it is about protecting lives. In that vein, auto manufacturers should be going to extreme lengths to harden their systems against the most sophisticated adversaries.
"In order to fully understand and mitigate risk, a system must go through ongoing, thorough, manual white box security assessment. With lives at stake, auto manufacturers in the era of the connected car should consider robust security assessment a business-critical mandate."
According to sources, Tesla is planning to open up a vehicle or its components at the Defcon hacker conference in August this year too, though it has denied those claims.
However Tesla moves forward with its security program, it is at least seeking to protect customer information on its site. One wonders whether that will help it prevent social engineering attacks such as the one that saw its Twitter feed and website just last month.
