Enterprises are teaming up with Bugcrowd, a crowdsourced security organization that helps fight back against the persistent hackers and vulnerabilities in software.
According to Bugcrowd, the first bug bounty program was created in late 1995 by Jarrett Ridlinghafer, a technical support engineer at Netscape. The goal was to find bugs in Netscape’s Navigator 2.0 Internet browser, providing those that found bugs with a cash reward.
Bug bounty programs continued to grow, and a big breakthrough came when Google introduced its Vulnerability Reward Program for the company’s web applications in 2010. Since its launch of this program, Google has rewarded bug hunters more than US$6 million, according to Bugcrowd.
(Related: Researchers are working on software that automatically detects bugs)
Today, much like the Wild West, bug bounty programs encourage security researchers and every-day hackers to get involved and find the dangerous vulnerabilities, for which they are rewarded with cash. Bugcrowd has gathered well over 32,000 security researchers to form one large community of bug bounty hunters, and all researchers come from different backgrounds or experience levels, and hail from more than 110 countries, according to CEO and founder of Bugcrowd Casey Ellis.
Currently, Bugcrowd’s proprietary vulnerability disclosure platform is deployed by companies like Barracuda Networks, Jet.com, Pinterest, Tesla Motors and Western Union Other large enterprises are hopping on the bug-hunting bandwagon, like the Fiat Chrysler, which recently joined to leverage its community of cybersecurity researchers.
In order to make sure their connected vehicles are as safe as can be, Fiat Chrysler needs the Bugcrowd community’s help to identify potential product security vulnerabilities, implement fixes and mitigate controls after testing, according to Ellis. Since connected vehicles do involve a certain amount of risk when it comes to cybersecurity, each bug detected will allow customers to drive their vehicles safely, and they will ultimately be the real winners, according to Ellis.
“[Fiat Chrysler] has always made the security of their cars a top priority, standardizing and innovating security features since 1924,” said Ellis. “As the attack surface of cars has expanded from just the physical realm to the cyber world, they have taken a new approach to product security in their commitment to helping keep drivers and passengers safe.”
Fiat Chrysler is looking forward to security researchers discovering potential cybersecurity vulnerabilities, and according to senior manager of security architecture Titus Melnyk, those who take the time to experiment, find vulnerabilities and report them safely deserve to be rewarded, which is why the company has agreed to pay hackers for their bug-hunting skills. A reported vulnerability could earn a bug bounty of $150 to $1,500. Based on the nature of the vulnerabilities, it’s possible that Fiat Chrysler will disclose some of these potential vulnerabilities.
Web, mobile, IoT and hardware security researchers can get started hunting for Fiat Chrysler bugs by signing up on Bugcrowd and creating a profile. Once approved, they can begin hacking on the public programs. Over time, Ellis said member of the crowd can gain recognition and reputation on the leaderboard, and get access to private programs with higher payouts.