GM embraces white-hats with public vulnerability disclosure program

GM's vulnerability coordination portal on HackerOne. (credit: GM / HackerOne)

On January 5, General Motors quietly flipped the switch on Detroit's first public security vulnerability disclosure program, launched in partnership with the bug bounty and disclosure portal provider HackerOne. General Motors Chief Cybersecurity Officer Jeff Massimilla told Ars the new portal was a first step in creating relationships with outside security researchers and increasing the speed with which GM discovers and addresses security issues.

"We very highly value third-party security research," Massimilla said. He explained that under the program, those third parties can reveal vulnerabilities they find with the guarantee that GM will work with them and not take legal action—as long as they follow the fairly straightforward guidelines posted on the program's portal.

The choice of HackerOne was a key part of the program strategy, Massimilla said, because of that company's existing relationship with security researchers. "We don't have a lot of experience with this sort of program," Massimilla admitted. HackerOne is hosting the program's Web portal, which handles much of the workflow of managing disclosures. "We also have e-mail addresses and other contact points where we can communicate," he added.

Read 18 remaining paragraphs | Comments