• 02.12.16

Find A Bug In A Tesla? You Could Get A Reward.

Companies like Tesla and Fitbit are offering cash rewards to non-employees who find security flaws.

Find A Bug In A Tesla? You Could Get A Reward.
[Photo: Flickr user Randy Sloan]

It’s one of the biggest threats to the Internet of Things: Bugs.


The rise of omnipresent computers in cars and home appliances will transform the way we live, but many of those devices are increasingly at risk of being hacked. And that has created plenty of business for bug catchers like Bugcrowd.

A security company that works with tech companies of all stripes, Bugcrowd essentially offers bug bounties–cash rewards to hackers and researchers who report vulnerabilities in their clients’ products. It is also on the leading edge of the new economy with clients that include Tesla Motors, Fitbit, and a number of Internet of Things vendors.

“There are bounties where people discovered they could access home security cameras,” Ellis told me over the phone from Australia, where the Sydney-born entrepreneur was visiting family.

Data provided by the company indicates that automobiles and motor services account for approximately 7% of its customers, with consumer products accounting for another 4%. Its non-tech customer base (which includes finance, health care, retail, and media) comes out to approximately 18.7%.

Companies offering monetary rewards for discovering security vulnerabilities is nothing new. A black market in “zero day exploits” has existed for years, where parties ranging from software companies to foreign intelligence services would offer payments to anyone who informed them of undisclosed security vulnerabilities or weak points. However, hobbled by complicated legal and ethical issues (Can you hack a company’s private systems to find vulnerabilities? Is a freelance researcher responsible if they unintentionally cause damage?), the field has had trouble mainstreaming.

That’s increasingly changing as a result of the growth of the tech industry. Bugcrowd raised a $6 million funding round in 2015; a rival company, HackerOne–whose work with GM was previously featured in Fast Company, raised $25 million last year. Both companies are pursuing a larger market: The massive range of security issues caused by the way mobile apps and tech products in general have invaded our daily lives.


By email, a Tesla representative told Fast Company that the company’s bug bounty program launched in 2014 and includes both its vehicles and its website. “A dedicated team of top-notch Tesla security professionals works closely with the researcher community to ensure that we continue to protect our systems against vulnerabilities by constantly stress-testing, validating, and updating our safeguards. Given the cutting edge nature of our technology, the security team constantly reviews and identifies new methods to defend our systems and protect our customers,” wrote the rep.

In order to participate in the bounty program and be on safe legal footing, anyone who reports a security vulnerability in a Tesla vehicle has to already possess a Tesla. “The focus is obviously the website for us because it’s easiest for people to test, but in scope it includes anything the researcher has permission to hack. If they have the opportunity to get their hands on a car, that’s in the scope as well,” explains Ellis. The company did not reveal how many security vulnerabilities have been reported since the program began.

According to Ellis, one of the major issues his company faced was how to make sure its researcher community–and clients like Tesla and Fitbit–are on safe ground. That meant segmenting its users and building clear protocols for reporting vulnerabilities they found. Bugcrowd says it segments users based on their trustworthiness, activity, and impact, and it runs private, invite-only bug bounty programs for specific projects and clients (alongside public bounty programs anyone can apply to) that only certain users have access to.

Another of the company’s clients, networking firm Aruba, told Fast Company that the vulnerability-hunting outsourcing approach benefits their company.

“As a vendor, the problem we have in trying to do security research in-house is finding the needed variety in talent,” said Jon Green, Aruba’s director of security architecture, via email. “You simply can’t find all the necessary skills in a single person, and to hire an expert in each field is just too expensive. The crowdsourced approach lets us tap into a wide variety of skill-sets, from the guy just getting started who knows how to scan for simple cross-site scripting bugs all the way up to researchers who will reverse-engineer your code to look for flaws that might be really obscure, but also really critical. We’ve seen some really great stuff coming in, such as attack vectors that we never would have thought of. Our ultimate goal, like any software company, is to fix our flaws before they negatively impact one of our customers. We think crowdsourced security programs give us a leg up on that goal.”

Companies like Bugcrowd and HackerOne handle bounty payments for their clients, who in exchange pay them to handle the complicated ethical and logistical issues surrounding bug spotting. The researchers and security geeks who find the vulnerabilities for them hail from all over the world; Ellis estimated that a third of them come from the United States, another third from India, and that the remainder are split among Australia, the European Union, and the rest of the world.


Other companies that have signed up for Bugcrowd’s service on-record include Pinterest, Western Union, Dropbox, Twilio, and