Titus Melnyk, senior manager, security architecture at FCA US, led the charge in launching the first bug bounty program for connected cars.
In an unprecedented move, FCA US, the American subsidiary of Fiat Chrysler Automobiles (FCA), under the leadership of Melnyk, launched a bug bounty program for its connected cars making it the first full-line vehicle manufacturer to offer financial rewards – ranging from $150 to $1,500 – for white hat hackers who find vulnerabilities in the manufacturers' technology.
The main goal of the program is to find any vulnerabilities that exist within the hardware. The program will focus primarily on systems that interact with FCA's vehicles – such as Uconnect, as well as its owner websites – and eliminate them, as well as to signal to the market that FCA is a company that is serious about the cybersecurity of its customers.
FCA partnered with San Francisco-based crowd-sourced security testing service Bugcrowd, which already has a similar arrangement with Tesla.
“Doing research in vehicles isn't easy,” said Titus Melnyk in an interview posted on YouTube. "It requires a special knowledge and special tools. If someone takes the time to experiment and find something and then discloses it to us in a responsible way, we want to have a reward for that.”
Melnyk said that because of the bug bounty program, FCA's customers will ultimately “find their products are going to be more stable, more secure,” and that their car systems are “going to act the way that they expect the vehicle to act.”
“There are a lot of people that like to tinker with their vehicles or tinker with IT systems,” Melnyk said in a release announcing the bounty program. “We want to encourage independent security researchers to reach out to us and share what they've found so that we can fix potential vulnerabilities before they're an issue for our consumers.”
Melnyk also stressed that exposing or publicizing vulnerabilities for the sole purpose of seeking attention and fame does little to actually protect the customer. The purpose of the program is to reward security researchers for their time and effort and to make products safer.
The senior manger has more than 24 years of cybersecurity experience and serves as the head of the automaker's cybersecurity organization responsible for the creation of the firm's ICT (Information and Communication Technology) cybersecurity defense strategies and solutions.
The bug bounty builds off of the security concerns of researchers such as Stefan Savage at the University of California - San Diego, and the car hacking duo Charlie Miller and Chris Valesek.
Tesla also has bug bounty program through Bugcrowd which pay out up to $10,000 to hackers who find vulnerabilities and GM silently launched a program in January through a secure website portal hosted by HackerOne.