Tesla Motors has taken a mass-market bug bounty program out for a spin—but not for its connected cars.
The program, administered by Bugcrowd, will pay researchers anywhere from $25 to $1,000 for disclosing vulnerabilities on the main teslamotors.com domain and a few others owned by the company; the e-commerce site is not included in the scope.
The vulnerability payouts are as follows:
· XSS: $200–$500
· CSRF: $100–$500
· SQL: $500–$1,000
· Command injection: $1,000
· Business logic issues: $100–$300
· Horizontal privilege escalation: $500
· Vertical privilege escalation: $500–$1,000
· Forceful browsing/Insecure direct object references: $100–$500
· Security misconfiguration: Up to $200
· Sensitive data exposure: Up to $300
The company has a separate, more high-touch process for when it comes to its electric vehicles. No published amounts or granular details are available for the vehicle hacking program, but on its website it notes, “Tesla values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.”
Also, according to reports, at Defcon in Las Vegas in August, attendees will be able to mount attacks on any part of the Tesla Model S vehicle they would like to try to compromise. And given its eminently connected status, there’s a lot of ground to cover. Sources in the company told Forbes that the effort is part of an effort to identify bugs as well as make known cyber-talent that the company may want to put in the driver’s seat.