Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward

Fiat Chrysler Is Paying the Public to Find Security Flaws in Its Cars

July 13, 2016, 7:18 AM UTC
2016 New York International Auto Show
Anadolu Agency/Getty Images

Fiat Chrysler Automobiles will start rewarding the public with cash for finding vulnerabilities and security bugs in its vehicle software, more than a year after two hackers showed how they could remotely take control of its popular Jeep Cherokee.

White hat hackers—the folks hacking for good purposes, not nefarious ones—will be paid between $150 and $1,500 for each legitimate security flaw through a bug bounty program managed by Bugcrowd, a crowd-sourced cybersecurity company. Bugcrowd, which is backed by several venture capital and private equity firms, raised $15 million in a Series B funding round in April.

Millions of so-called connected cars and trucks are on roads today, and that’s a potentially huge cybersecurity hole if hackers find weaknesses and choose to exploit them. Connected cars is a loose term that, in general, refers to cars with in-vehicle systems connected to the Internet. These systems give hackers multiple entry points to gain remote access to a connected car, for example through the software that operates the in-car entertainment, navigation, and advanced driver assistance systems.

“Bugcrowd will do the initial triage,” Titus Melnyk, FCA US’s senior security manager says in a YouTube video announcing the program. If the company determines that it’s a valid submission, it will be passed along to FCA.

“The most important thing is if someone does report a vulnerability to us—that we vet out—we want to reward that person, which is why we’re going with a paid bounty program,” Melnyk says in the video.

Get Data Sheet, Fortune’s technology newsletter.

The end goal is to not only find the bugs, but ultimately help Fiat Chrysler (FCAU) write better code, Casey Ellis, co-founder and CEO of Bugcrowd, says in the video, referring to the programming language used to build software. There’s another aim as well: to show the market that FCA is serious about cybersecurity.

“It (FCA) understands that a connected car does involve risk when it comes to the cyber realm,” Ellis says in the video, which is posted below.


Charlie Miller and Chris Valesek demonstrated last year to a Wired reporter just how easy it was to hack a vehicle when they remotely took control of a Jeep Cherokee. The Jeep Cherokee hack exposed the weaknesses behind the FCA’s digital defenses and raised questions about what, if anything, other connected car manufacturers were doing to protect their vehicles. FCA ended up recalling 1.4 million vehicles to fix the software.

FCA isn’t the only company, or automaker, to offer cash to hackers. Tesla’s bug bounty program, which is also run by Bugcrowd, pays up to $10,000 to hackers who find credible vulnerabilities.

General Motors (GM) quietly launched a program in January to connect the company with white hat hackers. Hackers who find security bugs or vulnerabilities can inform GM through a secure website portal hosted by HackerOne, a venture-backed security startup based in San Francisco that originally spun out of Facebook. At launch, the GM program wasn’t paying hackers (or “researchers,” as they’re sometimes called). That could change, GM cybersecurity chief Jeff Massimilla said at the time.

Transportation companies, including United Airlines (UAL) and ride-hailing company Uber have also launched bug bounty programs. In March, Uber expanded its private computer bug bounty program and opened it to the public. Uber also introduced a loyalty rewards program that gives bonus payouts to hackers who uncover a string of bugs. HackerOne also runs Uber’s program.