In the wake of last week’s Wired.com report where security researchers Charlie Miller and Chris Valasek remotely took control of a 2014 Jeep Cherokee via its telematics system, the auto industry is now on cyber-security high alert. During a regional press preview for the new 2016 Tucson, Hyundai America President and CEO Dave Zuchowski was asked about it. As expected Zuchowski said that the safety and security of customers is always a top priority for the company but then went on to give a surprising response to my follow-up question.
When I asked Zuchowski if Hyundai would follow the lead of technology companies such as Facebook, Microsoft and Google and establish a bounty program for responsible disclosure of security vulnerabilities, he acknowledged that it was under consideration. In addition, he said that while Hyundai doesn’t have a formal program at this time, the company has previously paid researchers on an ad hoc basis for disclosing vulnerabilities. Zuchowski didn’t offer any additional details, but the acknowledgement that the company has gone down this path is a good thing.
I first proposed the idea of a bounty program to OEM contacts back in 2011 and have done it repeatedly since then to no avail and also wrote about it here nearly a year ago.