Tesla Motors has started a bug bounty program that will pay researchers up to $1,000 for disclosing vulnerabilities in its website. As said above, rewards don’t apply to bugs found in the company’s vehicles. The Tesla bug bounty hunters have to find vulnerabilities in the main teslamotors.com domain and other domains owned by the company. The Tesla car sales website and other sites that are hosted by third parties are not included in the bug bounty, which is being administered by Bugcrowd. The bug bounty will not enthuse hard core hackers because Tesla has left out its cars and their associated software and hardware out of the program. Readers may not that Tesla has a separate reporting process for vulnerabilities in its vehicles. While website vulnerabilities are passe, research on attacks and vulnerabilities in the software running inside smart cars have become much more common in the last couple of years. The car hacking is a serious problem which can cause grievous injuries in case cars are taken over by hackers and made to do malicious things like involve them in suicide bombings. Chris Valasek and Charlie Miller are considered pioneers in this field and have developed several attacks on the systems in cars from various manufacturers. However, big car manufacturers havent taken any interest in finding the vulnerabilities in their cars raising serious questions about the cars vulnerabilities. Tesla has however taken a different route on finding vulnerabilities in its cars and has a dedicated team of researchers for the same. The vulnerabilities listed by Tesla Motors bug bounty include:
XSS: $200–$500 CSRF: $100–$500 SQL: $500–$1,000 Command injection: $1,000 Business logic issues: $100–$300 Horizontal privilege escalation: $500 Vertical privilege escalation: $500–$1,000 Forceful browsing/Insecure direct object references: $100–$500 Security misconfiguration: Up to $200 Sensitive data exposure: Up to $300
The minimum reward is $25 and the maximum is $1,000.
