GM (General Motors) is bringing in professional hackers to look for vulnerabilities in its vehicles’ computer systems. The ‘white hat’ hackers are being lured with the promise of cash payments, or ‘bounties’, for each bug they uncover.
“We’ll show them the products, programs and systems for which we plan to establish these bug bounties. Then we’ll put them in a comfortable environment – ply them with pizza and Red Bull or whatever they might need – and turn them loose,” said GM’s President Dan Ammann in a speech at the Billington CyberSecurity Summit.
The program, called Bug Bounty, will include ten or so hand-picked researchers, who will return to their homes or offices after the event to continue their research.
Do bug bounties work?
Bug bounties are fairly common among large organizations, and vulnerabilities are often discovered as a result, but they shouldn’t be relied upon. In fact, bounties are usually only offered when an organization is already confident that its product is secure. If it wasn’t, the organization runs the risk of paying out hundreds or even thousands of bounties, which would cause not only a financial disaster but also a PR nightmare.
News of the organization’s poor security practices would reach customers, who might turn to a competitor. On the flipside, it would attract cyber criminals, who would see the organization as a soft target.
GM’s program is slightly different to most bug bounties in that it’s not open to everyone, but its motives are still questionable. Granted, anything that raises awareness of cybersecurity is important, but if the company was serious about keeping its computer systems secure, why doesn’t it trust its own experts? And if it wanted third-party help, there are much simpler – and possibly more reliable – options, such as penetration testing.
GM’s Bug Bounty program is essentially a convoluted penetration test, in which a professional tester, working on behalf of an organization, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks and/or applications. Penetration testing is required by most cybersecurity laws and frameworks, as it’s the most effective way of rooting out weaknesses in systems and networks.
A test can be conducted by a single professional (or a handful in rare cases), who will assess an organization and produce a report providing recommendations for improving its security practices. The whole process should take somewhere between one and three weeks, and should complement vulnerability scans and bounty programs.
Vulnerability scans and penetration tests root out small and large vulnerabilities, which organisations should address before a product or application is launched. Once that happens, the organisation might choose to offer bug bounties – although it’s not a regulatory requirement.
You can learn more about penetration testing by visiting our website. We’re also a CREST-accredited provider of penetration tests, offering services to suit your needs, whether you’re concerned about weaknesses in internal networks, web applications, wireless networks, or your staff’s awareness of socially engineered attacks.