THE CHALLENGE
General Motors (GM) designs, manufactures and distributes vehicles and vehicle parts. One of its specializations is technologically advanced cars, such as those with built-in 4G LTE connectivity, semi-autonomous vehicle and electric vehicles.
Nearly two years ago, GM leaders realized that the data limits of its OnStar Wi-Fi hotspot system could be hacked. The security flaw allowed anyone to exploit the system and take advantage of unlimited Wi-Fi. With more than 4 million cars equipped with this system, the consequences could have been massive.
“We’ve always approached security with a diverse set of tools in our toolbox,” says Jeff Massimilla, vice president of global cybersecurity at GM. “In today’s connected world, it’s critically important that product and corporate cybersecurity functions are aligned across all areas of the business.”
Early on, GM merged all cybersecurity activity — both product and corporate — into one central organization. But the cybersecurity team members realized they needed more help in identifying and resolving vulnerabilities within the supply chain than what the team could provide.
THE SOLUTION
HackerOne is a hacker-powered security platform that works with companies and organizations across all industries to set up vulnerability disclosure policies (VDPs) and bug bounty programs. When an organization implements a public VDP, this means they’re open to any security researchers hacking their system and alerting them of any flaws uncovered. HackerOne uses ethical hackers and security researchers from all around the world to find security flaws within security systems.
GM implemented a public VDP through HackerOne. The goal was to allow hackers to safely and legally report security threats and vulnerabilities within GM’s supply chain. External hackers can submit threats in GM’s systems through its VDP. Once they do so, the internal GM security team responds immediately to fix the problem.
The global community of friendly hackers brings diverse perspectives and techniques that can identity vulnerabilities quickly. GM is an example of an innovative company embracing the hacker community to surface bugs and supplement the great work their internal security team is already doing.
THE RESULTS
Since the program launched in 2016, GM has resolved more than 700 vulnerabilities across its entire supply chain, thanks to the help of more than 500 hackers. The security improvements extend to key suppliers and other external partners, making it one of the most comprehensive VDPs in any industry.
“Leveraging HackerOne’s relationship with the research community and seeing firsthand the results they provide has been extremely encouraging,” Massimilla says. “Hackers have become an essential part of our security ecosystem.”
