GM will reward researchers for finding cybersecurity threats

DETROIT -- General Motors will begin a high-stakes bug bounty program designed to privately find potential weaknesses in the automaker's cybersecurity and products.

Such programs are common in software and tech firms. They're becoming more prominent in the auto industry, as automakers prepare to launch autonomous vehicles and more service-based programs such as ride-hailing fleets.

"The overall focus, threat level and so on is only going to grow from here, which is why we're putting so much energy and resources into getting ahead, and staying ahead, and iterating rapidly," GM President Dan Ammann said Friday following a presentation at the Billington Cybersecurity Summit in Detroit.

GM's program, announced Friday by Ammann, is expected to begin by the end of summer. It will include a group of about 10 or less researchers, also known as white-hat hackers.

"We'll show them the products, the programs and the systems for which we plan to establish these bug bounties," Ammann said. "Then we'll put them in a comfortable environment -- ply them with pizza and Red Bull or whatever they might need -- and we'll turn them loose."

The selected individuals, according to Jeff Massimilla, GM vice president of Global Cybersecurity, were chosen from more than 500 researchers who have participated in GM's vulnerability disclosure program. GM launched the vulnerability program with HackerOne, a friendly hacker platform to identify work, in 2016.

The bounty program, officials said, is "a step further" than the disclosure program, which has identified more than 700 vulnerabilities since launching in January 2016.

"We started that through the disclosure program but what we really see is we want to get their expertise really working on the product," Massimilla told Automotive News. "We'll look at the highest risk systems in our products."

The bounty program, Massimilla said, will include "large sums of money" for the researchers based on what "bugs" they may find. He declined to disclose exact payment amounts.

Car hacking has been demonstrated in controlled simulations in recent years -- mostly when hackers are physically plugged into the vehicle's hardware. The most well-publicized occurred with security researchers Chris Valasek and Charlie Miller remotely hacking into a 2014 Jeep Cherokee in a real-world test in 2015.