Tesla Rewards Hackers With Bug Bounty

An anonymous reader writes: Tesla Motors is offering up to $1,000 to anyone who uncovers security issues on its website. Forbes reports that the program is not yet available for its vehicles however. Using a security crowdsourcing company called Bugcrowd, researchers have found 22 bugs for Tesla so far. A statement on the Tesla Bugcrowd page reads in part: "We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process."

up to $1K

[turkeydance]

or down to nothing.

Re:up to $1K

[schlachter]

yeah, will never happen with their cars. way too much risk.

never understood why companies don't pay out big $$ for these bugs. has to be worth way more than $1K to them.

Re:

[schlachter]

you're missing the market. first off, people will not make an effort to find the bugs unless the price is right. plenty of high quality people won't try for $1K, leaving bugs undiscovered, at least by white hats. second, if there isn't decent compensation for finding the bugs, some people will sell them on the black market, where they could go for much much more.

Re:

[drinkypoo]

but it seems to me that to enter the same game as the cybercriminals and extortionists is one that cannot be won.

That's why they call it a war, and not just a battle. But you can be ahead of your neighbors, and if they are more attractive targets, then you may well be attacked less, let alone compromised. I don't have to outrun the bear, said the lawyer to his friend, I just have to outrun you.

Seriously, though, it's cheaper to pay a little bounty than to have your site exploited, if you can in fact get people to bite for small payouts.

Re:

[Geistmaus]

Extortion is when the discoverer of the bug states "Pay me or I'll use this bug to hack you." You could perhaps make a viable argument that blackmail is when anyone with knowledge of the bug states "Pay me or I'll exercise my free speech Rights." But there's a lurking negligence issue here. If the man hours versus bounty payout to discover a bug comes in at under the minimum wage, then any half-wit lawyer could make a viable argument that these for-profit companies had reckless disregard about the safety

Re:

[sexconker]

The extortion comes from being forced into either accepting the conditions of the bug bounty programs or going to federal pound-me-in-the-ass prison.

The bug bounty programs are set up as a PR move. They encourage "responsible disclosure" and offer amounts of money that look large to the uninformed public, but are a joke compared to the effort required to find and report and follow up on the bugs, let alone the actual value to malevolent hackers.

If a security researcher finds a significant bug affecting $BI

Re:

[caferace]

It took me about an hour to find a serious security bug in their website. As it turned out, it was a duplicate. It really wasn't rocket science with the tools available. What they *are* saying is "we won't hold you liable for trying to hack us". That's an incentive unto itself.

Re:

[mongothesecond]

Early last year there were over 300 bug bounty programs advertised on the internet. Right around 10% of them offered more than $100 for high severity bugs or security vulnerabilities. Most of them rewarded the reporter with a t shirt or mentioned on a corporate website in lieu of financial compensation.

Re:

[Tontoman]

This would be a great way for a young, gifted, educated network Security expert to break into the job market. The bug bounty is nice. But there would be more value in mentioning on a resume, and using a photograph of the check as proof of being an effective white-hat.

Riiiiiiiight.

[mongothesecond]

They want to pay "hackers" less than pen testers, with ambiguous escrow or payout deadlines, and trust that all vulnerabilities found are reported, or reported well. What could possibly go wrong.

Re:

[drinkypoo]

They want to pay "hackers" less than pen testers, with ambiguous escrow or payout deadlines, and trust that all vulnerabilities found are reported, or reported well. What could possibly go wrong.

From where I'm sitting, it looks pretty good; people will try to hack them anyway, if people report vulns they can reward them with whatever amount they like, it's cheap to do.

Subsidy overrun

[srussia]

...and the check is in the mail!

Tesla insults hackers with bug bounty

[Anonymous Coward]

$1000 for applying highly specialized skills? UP TO?

Only a thousand bucks???

[Eloking]

Granted it's a lot better than many other that prefer to sue your ass over discovering security flaw but, compared to some other bounty reward, isn't "up to" 1K$ a little low?

View source

[lucm]

Out of curiosity I went to their website and did a view-source. Apparently they use Drupal. So I'm going to add them to my "Uses drupal" bookmark folder for that time when the next Drupal security exploit comes out...

Also for some reason they use jQuery 1.8. Isn't that version vulnerable to a known XSS exploit?

Get out your checkbook, Elon ...

[PPH]

... my windshield is covered with bugs.