Bug Bounty Programs: Vehicle Specialty Often Difficult to Fill
The need for bug bounty programs began years ago as a void formed. The manufacturers were producing their goods and services, as to be expected. An issue experienced was the manufacturers had the “first to market” mentality in place. There was and continues to be in certain markets, a hurry to design, engineer, and manufacture the product. The product needs to be the first in the marketplace for the consumer to purchase the unit. In theory, the manufacturer would be the market leader, and sell the maximum number of units and gain the market share. If the manufacturer were to wait, they would not be maximizing the sales volume and would be trying to catch up with their peers. This sales process methodology is unfortunately still prevalent. As of late this has been noted with routers, IP cameras, and other like equipment.
With these and other products security architecture was applied in various levels. This ranged from very little, with too many of the IoT products, to a moderate level of security applied. A contributing factor to this has been the lack of information security talent. This is a function of the limited number of programs focused on this, newer programs not coming online at a quick enough pace, and a time lag once these are in place of at least three years prior to graduates entering the workforce.
One area growing in importance is vehicle security. The number of vehicles with embedded systems continues to grow. The autonomous vehicles are actively being tested on the roads used by other people presently. These vehicles are expected to be in full production within five years. These systems are being developed with the focus of having them operational in a timely manner with security being am secondary focus.
With the growing need for information security (InfoSec) professionals, there is an issue. In this specialty, there is a limited number of people that have the knowledge and expertise to attack the embedded systems in a vehicle. Most firms in this specialty do not allow their personnel to contribute to these bug bounty programs (Gray, 2017). This appears to be starting to relax, but is still a parameter to overcome.
With a bug bounty program, the sponsoring firm is able to add to their baseline of security. With vehicles, there are ample areas to research. The connected and autonomous vehicles in use today tend to be more computers on wheels than anything. From an administrative side, a bug bounty program is easier with a vehicle that has been sold for years. This allows for more vehicles and modules to be tested, as there are more vehicles on the lots and junkyards. With the new vehicles an issue could be, dependent on the circumstances, the cost. The new vehicles cost upwards of $30k new. The internal client may not want to part with two or three vehicles due to this constraint on their budget. With the junkyard vehicles, these not have all the original equipment due to an accident or other force, however many of the modules would be intact and perfectly testable. bounds. More of the manufacturers are producing more connected vehicles, applications, and hardware.
The bug bounty programs are a welcome addition to the InfoSec environment for those manufacturers that without an internal testing program. This has and will continue to provide knowledge re: the vulnerabilities that may not normally be found.
Gray, P. (2017, July 2). Biz soap box: Bugcrowd founder and CEO casey ellis on the future of crowd sourced security. Retrieved from https://risky.biz/