GM Launches Program To Encourage Disclosure Of Cybersecurity Flaws

General Motors will have more than 12 million connected cars on the road by the end of this year, thereby creating a massive potential for hackers to maliciously exploit its systems.

In an attempt to discover and subsequently remove any cybersecurity flaws in its vehicles, the automaker has teamed up with bug-bounty coordinator HackerOne to create a new program that will rely on a community of white-hat hackers to notify it of potential security problems.

GM’s chief cybersecurity officer, Jeff Massimilla, explained that the company places high value on security researchers. The automaker launched this program to ensure that researchers can hack its cars without the fear of being sued by GM. The company’s website indicates that anyone with good intentions may attempt to hack GM vehicles without facing legal action, provided that they do not violate the law, harm the company or its customers, or live in certain countries, including Iran, North Korea, and Sudan, among other rules. Additionally, if a security vulnerability is discovered, the hackers are not allowed to disclose their findings to the public until the automaker has fixed the issue.

There’s no question that the stakes are high for GM and all automakers. The growing prevalence of connected cars greatly increases the risk of malicious hacking, with potential entry points existing through in-car entertainment, navigation, and advanced driver assistance systems. It is therefore critical to discover security flaws to keep drivers safe in the future.

“We’re putting a lot of technology into our cars,” said Massimilla. “There’s a responsibility obviously to put an appropriate level of security with those technologies.”

Tesla is the only other automaker with such a program, offering hackers $100 to $10,000 for reported bugs. Although researchers who notify GM of a potential security flaw will not currently be rewarded, Massimilla says that could change in the future.

Cybersecurity vulnerabilities are a growing concern throughout the auto industry as cars become increasingly connected. In 2014, security researchers Charlie Miller and Chris Valesek received attention by demonstrating their ability to hack a vehicle when they remotely took over control of a Jeep Cherokee. This disclosure prompted Fiat Chrysler to recall 1.4 million U.S. vehicles.

One week later, hacker Samy Kamkar posted a video indicating that he had built a device that could intercept communications between GM’s OnStar RemoteLink mobile app and the OnStar service, thereby allowing him to locate, unlock and remote-start vehicles. General Motors fixed the problem after learning about the vulnerability. Kamkar said that although it was easy to work with GM in disclosing his findings, it was difficult to find the correct person to work with.

The automaker’s new program should make it more straightforward for white-hat hackers to disclose security flaws in the future.