General Motors Celebrates Second Anniversary with Hackers
Just over two years ago, General Motors became the first major automaker to launch a public vulnerability disclosure program (VDP). Its purpose? To protect its customers by working with hackers to safely identify and resolve security vulnerabilities. Since the program launched in 2016, GM has resolved more than 700 vulnerabilities across the entire supply chain, with help from hackers.
“We value the expertise of the security research community, and have been very pleased with the program’s performance to date,” said Jeff Massimilla, Vice President Global Cybersecurity at GM. “Researchers are engaged, and the quality of information we’re receiving is extremely valuable and is helping us improve security across all areas of GM.”
GM’S PROGRAM BY THE NUMBERS
To date, GM has worked with more than 500 hackers from all over the world. Access to this caliber of researchers wouldn’t be possible without this program.
“The global community of friendly hackers brings diverse perspectives and techniques that can surface vulnerabilities faster than a security team going at it alone,” said Alex Rice, co-founder and CTO, HackerOne. “GM is the perfect example of an innovative company embracing the hacker community to surface bugs and supplement the great work their internal security team is already doing.”
HACKERS AS AN EXTENSION OF THE SECURITY TEAM
GM responds to and fixes reported bugs with impressive speed and agility, including those found with any of its suppliers, making it one of the most comprehensive vulnerability disclosure programs across industries in terms of scope. How can they tackle such a tall order? GM has a broad, experienced internal security team, including full-time internal red teams. Even with such a mature security team structure, GM taps the ethical hacker community to help find what they might have missed.
“We’ve always approached security with a diverse set of tools in our toolbox,” said Massimilla. “Leveraging HackerOne’s relationship with the research community, and seeing firsthand the results they provide, has been extremely encouraging. Hackers have become an essential part of our security ecosystem.”
As cyber risks evolve, so has GM’s internal organization. Since launching the VDP as the Chief Product Cybersecurity Officer at GM, Massimilla has now taken on the role of Vice President of Global Cybersecurity. This newly formed organization merges all cybersecurity activity - both product and corporate cybersecurity - into one central organization. This organizational shift reflects the progressive mindset within GM.
“We are taking a holistic approach to cybersecurity at General Motors” explained Massimilla. “In today’s connected world, it’s critically important that product and corporate cybersecurity functions are aligned across all areas of the business.”
GM is leading the automotive industry into the 21st century with a close eye on cybersecurity. According to HackerOne research, only seven of the top 50 automotive manufacturers have a way for external researchers to report vulnerabilities. Four of these seven fall under the GM brand: Buick, Cadillac, Chevrolet and GMC. Furthermore, only two of the top 50 suppliers of the automotive industry have a channel for disclosure. This may seem like a stark comparison to the digitally native technology industry, but it is progress nonetheless. GM’s VDP is setting a new standard of collaborative cybersecurity in the name of public safety. It’s not just a car company, GM is a technology company.
“We’re taking cybersecurity very seriously at General Motors. It’s a top priority for our company, and our most senior executives, including the CEO, fully support our organization,” said Massimilla. “We are employing strategies and programs, like our VDP with HackerOne, with the sole purpose of protecting our customers, their vehicles and their data.”
For our hackers: Stay tuned for more from GM’s security team as they prepare to launch a unique hacking challenge soon to expand their program and deepen relationships with the security community.