In a major escalation in its bug bounty program, Tesla is offering a free Model 3 to anyone who can hack their car at Trend Micro’s Zero Day Initiative’s upcoming hacking contest, Pwn2Own.
Humble Beginnings of the Bug Bounty Programs
If you haven’t heard of a bug bounty program, you might be wondering why Tesla is rewarding someone to break into their software.
Bug Bounties run on the principle that no one is better at securing your home than a professional burglar; likewise, hackers are enlisted to expose software vulnerabilities in exchange for a reward.
Companies can learn ahead of time where their software is susceptible to attack; they can crowd-source their security testing to tens of thousands of amateur and professional IT security people.
And they only have to pay for successful hacks—saving an enormous amount of money on testing—, and contests like these play into the satisfaction so-called whitehat hackers get from breaking into software in a constructive way.
The first bug bounty was offered by Netscape back in 1995, who said, “By rewarding users for quickly identifying and reporting bugs back to us, this program will encourage an extensive, open review of Netscape Navigator 2.0 and will help us to continue to create products of the highest quality.”
Other vendors were slow to adopt the unorthodox model and for years the idea of bug bounties failed to catch on while software vulnerabilities remained unaddressed.
Over time, however, companies began to catch on. Whitehats continued to report vulnerabilities in large enterprise software. Conferences such as DefCon worked to educate software companies about the need for such programs and soon these companies began to listen.
In 2004, Mozilla Firefox began offering $500 for whitehats who found critical security flaws in their browser.
Another big breakthrough came in 2007, with the introduction of the Pwn2Own contest, which originally set out to identify security vulnerabilities in the macOS X operating system as a way to wake up Apple to the need for better security measures.
The popularity of these contests began to wake up industry titans to their utility.
In 2010, Google announced its own security vulnerability program for its web applications and Facebook followed a year later with its whitehat program, offering a minimum $500 reward for vulnerabilities reported to the company and no maximum limit on the reward offered. The program is still going, having paid out more than $2 million so far.
Tesla Ups the Ante at Pwn2Own
Tesla’s four year old bug bounty program is already a huge success. Tesla has a very generous payout structure already, with its maximum reward per reported vulnerability being $15,000, and they’ve payed out hundreds of thousands of dollars in bounties so far.
What’s more, they’ve encouraged people to dig into their systems for weaknesses, reporting that hacking Tesla’s system—if done for legal bug bounty purposes—will not void the warranty on your car.
As long as your work complies with our bug bounty policy, Tesla will not void your warranty if you hack our software https://t.co/HhibE1UpRChttps://t.co/NIISSrrViD— Tesla (@Tesla) September 5, 2018
Giving away a Model 3 seems like the next logical step for the automaker. By dedicating itself to ensuring the safest possible system in their Model 3’s, Tesla’s Pwn2Own participation and reward of a Model 3 to the winner, will only make the Model 3—and everyone else on the road with them—safer as a result.