Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security The Almighty Buck Transportation

GM's New Bug Bounty Program Lacks One Thing: A Bounty (securityledger.com) 47

chicksdaddy writes with this news: General Motors (GM) has become the latest "old economy" firm to launch a program to entice white hat hackers and other experts to delve into the inner workings of its products in search of security flaws, The Security Ledger reports. "The company launched a bug bounty on January 5th on the web site of Hackerone (https://hackerone.com/gm), a firm that manages bounty programs on top of other firms, promising "eternal glory" to security experts who relay information on "security vulnerabilities of General Motors products and services." Despite a $47 billion market capitalization, however, GM is not offering monetary rewards – at least not yet. A page on Hackerone detailing how vulnerability reporters will be thanked reads "Be the first to receive eternal glory," but does not spell out exactly what rewards are proffered. Judging from the description of the program, the "prize" for reporting a vulnerability to GM appears to be a promise by GM not to sue you for finding it." However, the article notes that the program has garnered praise from security researchers Chris Valasek and Charlie Miller, monetary reward or not.
This discussion has been archived. No new comments can be posted.

GM's New Bug Bounty Program Lacks One Thing: A Bounty

Comments Filter:
  • ... the bounty may be a lawsuit against the bug finder for breaking the DMCA.
    • So... the sensible thing is to sell the bug to the highest bidder so you can not only afford being sued but also enjoy what's left of the money after the lawsuit.

    • by Anonymous Coward

      ... the bounty may be a lawsuit against the bug finder for breaking the DMCA.

      Good for them. It's good to know that they're following the law to ensure they will receive fucking nothing from this "program" of theirs, which is equivalent to what they're offering to pay.

      Hello Corporate Whores. Perhaps one day you'll wake up and realize people don't work for free any more than you fuckers would.

  • by ffkom ( 3519199 ) on Sunday January 10, 2016 @03:44PM (#51273719)
    They probably considered the consequences of a "bug bounty program" and realized that it creates an incentive to write bugs into the software, having a friend "find them" and cash in, later. Now add to this the general distrust typical large corporations have in their own employees, so they probably figured their best bet is a "bug bounty program" without an actual bounty.

    They might not have considered, though, that people able to find such bugs are not as stupid as they think - there are plenty of companies buying "zero day exploits" for cash.

    • "They probably considered the consequences of a "bug bounty program" and realized that it creates an incentive to write bugs into the software, having a friend "find them" and cash in"

      Of course yes, because who wouldn't risk a six figures salary for a three figures bounty.

      • Some people are irrational with their greed and overly confident with their intelligence.

        Usually they become lawyers or politicians or investment bankers but I suppose a few low end software developers could be the same. It's not like people haven't thrown away good careers or their families for gambling or drug usage and so on. It's not uncommon to see people who are married for 20+ years throw it all away at retirement age because they took a chance on cheating and now have to divide up a life time of ass

  • ... then get sued!"
  • Meh (Score:5, Insightful)

    by liqu1d ( 4349325 ) on Sunday January 10, 2016 @04:03PM (#51273793)
    I'll just sell it elsewhere then...
  • Despite a $47 billion market capitalization, however, GM is not offering monetary rewards

    Market capitalization doesn't matter. They could have a market capitalization like that, and still be losing money every quarter.
    In fact, net income for GM was $3.9billion, which is a more relevant number.

    • NAh.. The only thing that matters to some people is the gross sales figure which means they are rich and can afford it. Anything like costs or labor or raw material stock and so on are accounting tricks to avoid paying their fair share in taxes.

      Please stop polluting this discussion with facts and reality.

  • What is my glory is not eternal and wanes after a while? Can I see them for damages? Maybe we could turn it into a class action and get awarded the monetary bounty in that way.

  • by King_TJ ( 85913 ) on Sunday January 10, 2016 @04:56PM (#51274019) Journal

    I would think *all* companies selling products containing software that could create problems for users if hacked should have a MINIMUM of a "bug bounty" program that credits people for bugs found and ensures they won't get in any legal trouble for the discovery process or for revealing it.

    Paying money for bugs found is good incentive to get more people involved in the process, but I'd leave that the the discretion of the company to do.

    In a way though, they already pay for this anyway. Isn't that a fundamental task of QA staff? These programs just expand testing and reporting to include anyone interested, instead of just hired employees.

  • by Dereck1701 ( 1922824 ) on Sunday January 10, 2016 @05:00PM (#51274039)

    "publicly disclose vulnerability details only after GM confirms completed remedication of the vulnerability."

    Ah, I think I see a significant portion of their objective here. Create a bug reporting system, leashed with a NDA so that you don't get to talk about the bug without their OK (which probably means never). And if anyone publicly discloses a bug without going through their little song and dance they claim "we have a bug reporting system that they should have used, their failure to go through "proper channels" is prima facie evidence they were acting improperly" when they sue. Haven't there been similar situations in the past, I believe I recall some security researchers finding a serious bug in some software and reporting it to the company, year(s) later it still wasn't fixed so they went public. A patch was released within a couple months, with the company screaming that the security researchers acted improperly by going public before they "were ready".

  • In my experience the most valuable thing you get from implementing a bug bounty is: 1) Creating a procedure for responding properly to external incidents. (Can be really hard with complex supply chains!) 2) Motivating external people who are already doing the research to tell you about it. 3) After slowly cranking up the rewards, you might motivate people to start researching specifically to find bugs in your products. It's not always a good idea to start aiming for 3 if you don't have 1 yet.
  • Selling anonymously to the highest bidder sounds best. More money and less chance of being sued.

  • GM went bankrupt in 2009 [wikipedia.org] Why? Apparently because GM was deliberately selling cars with poor reliability so it could make more money selling new cars, and so GM dealers could make more money fixing GM cars.

    Here are a few examples: The Ten Worst Cars GM Ever Built [jalopnik.com].

    Apparently, nothing has changed. 2014 General Motors ignition switch scandal [wikipedia.org].

    GM is moving away from being a U.S. company: G.M. Will Import Buicks Made in China to the U.S. [nytimes.com]
    • My lady has a 2000 Astro. It still runs flawlessly, trans works perfectly, and with upgraded shocks and tires and a posi-trac upgrade it has hilariously good handling. (The rear axle is from the S10, but the front suspension is derived from the Caprice.) Sadly, we are going to have to get rid of it because GM discontinued the rear door seals, and they are not just extruded weatherstrip but complex formed gaskets. The door handles are wearing out and GM wants $1100 for a full set. Leave the key in the igniti

      • "GM discontinued the rear door seals"

        Can you make your own seals with silicon rubber?

        "The door handles are wearing out and GM wants $1100 for a full set."

        Toyota dealers near where we live are VERY aggressive. We needed a new window motor, found one online, and installed it ourselves. The motor cost $53, seems very high quality, and works perfectly.

        "GM can't die ... fast enough." I'm guessing that's what is happening. GM is dying.

        Here are Chevy Astro door handles: $12.55 with free shipping [amazon.com].
        • Can you make your own seals with silicon rubber?

          Oh man, if you had ever done this, you would not be asking. It's the size of the whole door. Can you even imagine building a mold that big which can be vacuum degassed? Because just pouring that much silicone will fill it with air.

          • I'm not suggesting using a mold. I'm suggesting repairing the current seals with silicon rubber by putting silicon rubber everywhere it is needed.
            • Like you'd do around a bath?

            • I'm not suggesting using a mold. I'm suggesting repairing the current seals with silicon rubber by putting silicon rubber everywhere it is needed.

              First of all, it's silicone, not silicon. Second of all, I have way more experience with silicone than I ever wanted, and anyone who uses silicone caulk to make an automotive repair is a starry-eyed fool at best. It will eventually fail, and when it does, it will cause you serious problems. Most silicone (or in fact most anything else) won't cure to most silicone, so you have to get it really and truly removed before you can re-apply anything, including the same thing.

              What I've done as a stopgap, and this w

              • Yes, I didn't think clearly about that. Silicone rubber has problems with adherence.

                I agree with the idea of using black Shoe Goo. I'm surprised your methods don't last longer. Problem: Shoe Goo emits a poisonous chemical for more than a month.

                Is Goop any better?

                You didn't say anything about the $14 door handles I found.

                Is long-term parts availability a serious issue? Aren't there many, many people selling parts from old cars online?
                • I agree with the idea of using black Shoe Goo. I'm surprised your methods don't last longer. Problem: Shoe Goo emits a poisonous chemical for more than a month.

                  That's okay, the seal to which I applied it is the one on the very top that isn't actually inside the vehicle. I didn't use it on the door seals.

                  Is Goop any better?

                  Yeah, it cures faster. More like 48 hours, maybe longer in this weather. Used it on the trunk seal of my Mercedes. Worked like a charm.

                  Is long-term parts availability a serious issue? Aren't there many, many people selling parts from old cars online?

                  Parts like formed door gaskets are typically dealer-only parts. Like I said, if I want such a part for my 1982 Mercedes, I just buy it. The originally supplier still makes it, and I can get it direct now since it's more than 15 year

  • Let's see, I work hard, find a bug, save you millions in legal fees.....and my reward is that you promise not to sue me?

    Wow, that's like really enticing, where do I sign?

Is it possible that software is not like anything else, that it is meant to be discarded: that the whole point is to always see it as a soap bubble?

Working...