The Washington PostDemocracy Dies in Darkness

Find a security bug in your GM car? The automaker wants to hear about it.

(Photo by Bill Pugliano/Getty Images)

A new car today isn't just a car, it's a sophisticated computer on wheels that relies on tens of millions of lines of code. And in those long lines of zeroes and ones, there might be a mistake -- some glitch that could allow hackers to gain control over a car.

But there's a disconnect between automakers and the cybersecurity community that helps find those kinds of glitches: When researchers uncover a problem, it's often not clear how they can get automakers to fix it.

General Motors, one of the world's largest automakers, says it is trying to change that.  The company is developing a formal program to work with researchers who identify security bugs, GM's chief product cybersecurity officer Jeffrey Massimilla told the Post in an interview. In some cases, researchers who report problems will be eligible for a reward "in some way, shape or form," according to Massimilla.

The move comes at a time when the risks posed by hackers to Internet-connected cars are making headlines: This summer, one pair of researchers demonstrated that they could remotely hack a Jeep Cherokee and take over its brakes and steering, prompting Fiat to recall 1.4 million vehicles vulnerable to the attack.

But while electric car maker Tesla Motors has already made a point of welcoming security researchers looking for security vulnerabilities, most of the auto industry has been slow to adapt.

The auto industry is "in the very early stage of realizing the importance of cybersecurity," said Cesar Cerrudo, the chief technology officer at cybersecurity firm IOActive.

It is unclear when GM will launch its program or how broad it will be, but Massimilla says the company is in the "final steps" of setting it up. Such programs typically include assurances that researchers who follow the company's vulnerability disclosure policy won't face legal action for their work and requires researchers to allow the company time to fix a problem before revealing the details to the public.

The automaker has already created about 70 e-mail addresses to receive bug reports from researchers and it is working on a secure way for them to send information about vulnerabilities through its Web site, according to Massimilla. It also trained call center workers at subsidiary OnStar to recognize when researchers are trying to notify GM about security problems, he said.

"It's essentially a welcome mat rather than a beware of dog mat for independent security researchers," Josh Corman, founder of I am the Cavalry, a group that is encouraging auto industry to focus on cybersecurity. "It increases the likelihood that researcher will look for and report vulnerabilities which ultimately gets them fixed sooner," 

Corman is also hopeful that GM's move towards a formal disclosure policy will encourage other automakers to do the same -- and that may be key to improving vehicular cybersecurity across the board. 

"Modern cars have so many components from so many different manufacturers, it will take an industry-wide effort to make cars more secure," Cerrudo said.