GM offers bounty for software bugs

Nora Naughton
The Detroit News
Dan Ammann, President of General Motors.

Detroit — General Motors Co. is offering a bounty on bugs in its vehicle software.

The Detroit automaker plans to bring in a small group of "white hat" hackers this summer to search for security vulnerabilities in the company's software and vehicles, President Dan Ammann said Friday during a keynote address at the Billington Automotive CyberSecurity Summit.

GM plans to offer a cash payment for each "bug" found in this new Bug Bounty program. 

"We'll show them the products, programs and systems for which we plan to establish these Bug Bounties," Ammann said. "Then we'll put them in a comfortable environment — ply them with pizza and Red Bull or whatever they might need — and turn them loose."

The select group of researchers — likely less than 10 people — will all be familiar with GM's software ahead of the event.

The Detroit automaker only plans to bring in "white hat researchers that we've established relationships with through our disclosure program," said Jeffrey Massimilla, GM's vice president of global cybersecurity. 

In its efforts to address automotive cybersecurity challenges, GM has already established what it calls the Security Vulnerability Disclosure Program. More than 500 researchers have participated in the program to identify and resolve more than 700 vulnerabilities, Ammann said. 

The collaborative disclosure program also includes communications with the National Highway Traffic Safety Administration, the Federal Trade Commission and other government agencies.

Cybersecurity is an important safety issue heading into a future in which driverless cars roam the roads, but in the near-term it's also a key element of progress. 

"One cyber incident could stymie (autonomous vehicle) deployment altogether, or at least delay it for a long time," Ammann said. "The public and policymakers would view a major cybersecurity incident involving any one of us as an incident involving all of us."

Perhaps the most famous incident of an automotive cybersecurity breach was the remote takeover of a Jeep Cherokee by two hackers in 2015. GM Cruise, the automaker's self-driving unit, later hired those hackers.

"The overall threat level is only going to grow from here, which is why we’re putting so much energy and resources into getting ahead and staying ahead," Ammann told the press after his speech.  He said GM is looking to assemble "the best-possible, most talented team we can have working on this. Not just inside the company but also taking advantage of third party researchers, taking advantage of third party expertise from multiple different places."

Twitter: @noranaughton