Tesla Encouraging “Good Faith” Security Research in Bug Bounty Program

Electric vehicle manufacturer Tesla is encouraging what it calls “good faith” security research in its bug bounty program.

In its vulnerability disclosure program, Tesla says it welcomes “the community to participate in our responsible reporting process” for the company’s product offerings and services.

Researchers who participate in the program must report a vulnerability along with information needed to validate the issue and give Tesla a reasonable amount of time to address the reported vehicles. They should also alter vehicles that only they own or to which they have approval to access, make an effort to avoid privacy violations and not expose others to potential safety issues.

Researchers who follow those guidelines can expect to receive a bounty of up to $10,000. The company also affirms its willingness to help bug bounty hunters get their research-registered vehicles back on the road:

If, through your good-faith security research, you (a pre-approved, good-faith security researcher) cause a software issue that requires your research-registered vehicle to be updated or “reflashed,” as an act of goodwill, Tesla shall make reasonable efforts to update or “reflash” Tesla software on the research-registered vehicle by over-the-air update, offering assistance at a service center to restore the vehicle’s software using our standard service tools, or other actions we deem appropriate.

There are some caveats with that promise, though. Tesla clarifies that it may restrict its help to a limited number of times, that it won’t cover out-of-pocket expenses such as towing and that it may de-register a vehicle previously registered for research at any time.

The company goes on to note that it won’t treat the input of a “good-faith security researcher” who as a copyright infringement or voided warranty.

More information about the bug bounty program can be found on Tesla’s website.

To learn about some of (Read more...)