Automotive companies are warming up to vulnerability disclosure programs

The automotive industry is looking to step up its collaboration with cybersecurity researchers to identify software and hardware bugs after a watershed 2015 hacking demo.
CC BY 2.0
Citroën C3 (Photo: Passion:driving)

The automotive industry is looking to step up its collaboration with cybersecurity researchers to identify software and hardware bugs in order to better protect vehicles, which are becoming more connected and automated.

“We’ve begun to actively develop relationships with the researcher community to encourage them to look at our vehicles and to let us know if they find vulnerabilities,” Harry Lightsey, an executive at General Motors, said Tuesday at the Wilson Center in Washington, D.C.

A case in point is a workshop in Detroit next week that will show industry representatives how to set up an effective vulnerability disclosure program, a practice that enlists outside researchers to find bugs in an organization’s equipment.

The workshop’s goal will be to “understand what a vulnerability disclosure program is, how to stand one up, what the pitfalls are,” Faye Francy told CyberScoop after the Wilson Center event. She heads the Automotive Information Sharing and Analysis Center (Auto-ISAC), the threat-sharing hub hosting the workshop.


Some companies are further along in embracing vulnerability disclosure than others: Fray estimated that 20 percent of Auto-ISAC’s 47 members, which include automotive giants like Ford, GM, and Mercedes-Benz, have disclosure programs in place. Some automotive companies have also adopted bug bounty programs; Fiat-Chrysler was the first major car manufacturer to do so in 2016.

“There’s a lot of devil in the details” in setting up a disclosure program, Francy said.

“You need to have a process of how to handle these, how to adjudicate them, how quickly you’re able to disclose that more broadly [and not just within the company],” she told CyberScoop, outlining what Auto-ISAC members stand to learn at the workshop.

HackerOne, a company that specializes in bug bounty programs, will help run the Motor City tutorial.

The auto industry’s complex supply chain make tight collaboration between suppliers key to an effective disclosure program, according to HackerOne CTO Alex Rice.


“If a single vulnerable supplier refuses to collaborate with a friendly hacker, it can increase the risk for the entire ecosystem,” he told CyberScoop.

The increasing willingness of car makers to collaborate with white-hat hackers comes after the two groups famously crossed paths in 2015, when researchers Charlie Miller and Chris Valasek showed how to remotely commandeer a Jeep, taking over its steering and braking. Chrysler responded by recalling 1.4 million vehicles affected by the software vulnerability.

After that demonstration, “I think the immediate reaction was to kind of put the researcher community at arm’s length,” Lightsey said. “But I think the industry has moved beyond that and…[is] working very hard on outreach to that community because they’re an incredible resource.”

Since the Jeep hack demonstration, disclosure programs have gradually gained traction with car makers. GM set up a program through HackerOne in 2016 that has resolved 700 vulnerabilities, according to Rice.

But program adoption in the industry’s vast supply chain, with all of its complexities and potential vulnerabilities, has been slower: Just two of the industry’s top 50 suppliers have a program in place, according to HackerOne.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts