Ever since Tesla opened up its bug bounty program on Bugcrowd about three years ago, dozens of security researchers who have sent their Proofs of Concept (PoCs) to the company have been named in the Hall of Fame. When it launched the program on Bugcrowd, Tesla said on its Bugcrowd page:
“We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.”
The latest news is that Tesla will not void a Tesla EV owner’s warranty if they attempt to hack the software per the bug bounty policy.
As long as your work complies with our bug bounty policy, Tesla will not void your warranty if you hack our software https://t.co/HhibE1UpRC https://t.co/NIISSrrViD
— Tesla (@Tesla) 5 September 2018
Tesla has also included wording to that effect in its Product Security page on its website:
“Tesla will not consider software changes, as a result of good-faith security research performed by a good-faith security researcher, to a security-registered vehicle to void the vehicle warranty of the security-registered vehicle, notwithstanding that any damage to the car resulting from any software modifications will not be covered by Tesla under the vehicle warranty.”
The company also offers to “reflash” or update the software should something go wrong during security research, but the fine print adds that no “out of pocket expenses” like towing will be compensated for in case the car needs to be taken in to a service center to restore the software.
The bug bounty is currently $100 – $10,000 per vulnerability, depending on various factors as outlined in the program’s policy.
