Tesla considers itself to be a tech company first and a car company second so it is no surprise they have a robust bug bounty program that rewards hackers for finding flaws in their code. Much to the surprise of many Tesla fanboys, Tesla does frequenty pay these whitehat hackers, because they find serious bugs.

At a Tesla sponsored event in Vancouver, BC, Canada, a cybersecurity group named Synacktiv hackers was awarded $200,000 and a free Tesla Model 3. That is a like a lot of money, but it was a big bug!

Synacktiv was able to get into a Tesla ECU (Electronic Control Unit) and it’s “CAN Bus” system which means they could have taken full control over any part of the car.

telsa model 3 covered in broken computer code full

In January 2024, Tesla awarded Synacktiv $100,000 for finding and reporting a completely unrelated bug in Telsa’s Infotainment System. This came from the annual pwn2own cybersecurity event which gave out a massive $1.3 million over just two days, also in Vancouver.

What is a Automotive CAN Bus in Simple Terms

The CAN bus is like a school’s intercom system that lets teachers (car parts) send messages to everyone quickly and easily without running around the school (car) to tell each person one by one. It’s a smart, cheap way for car parts to talk to each other.

ECU’s communicate via a single CAN system instead of via direct complex analog signal lines – reducing errors, weight, wiring, and costs.

Who is Synacktiv?

Synacktiv is a company that specializes in cybersecurity services, including penetration testing, security audits, reverse engineering, development, and incident response. Founded in 2012, Synacktiv has completed numerous missions and has developed a reputation for technical expertise in offensive security. They also offer tools dedicated to intrusion tests and have published numerous articles on various cybersecurity topics.

Telsa’s Bug Bounty Program Details

In case you’re interested in having Tesla pay you serious amounts of money for finding bugs in their code or devices, here are all of the details of the Tesla bug bounty program.

Payout Guidelines

The following section shows the range of payouts along with specific examples of impact. Within a category, the amount will depend on factors such as how much owner interaction is required, the capabilities of a compromised process (in the case of code execution), and the quality of the report.

The below examples are not meant to be an exhaustive list of all valid findings within the program, but are meant to provide some clearer high-level guidelines and inspiration to researchers. If you have a security issue to report to us that does not fall into the below categories, please do not hesitate to reach out to us with your findings. We will continue to update the table with relevant categories and their associated payouts.

If a vulnerability falls into multiple categories, the highest severity applies.

Critical ($50,000 – $100,000)

  • Remote zero-click to unconfined root on infotainment
  • Any remote code execution on a CAN-connected ECU, e.g. Autopilot, VCSEC, Gateway
  • Infotainment pivot to CAN-connected ECU, e.g. Autopilot, VCSEC, Gateway

High ($20,000 – $50,000)

  • Remote one-click to unconfined root on infotainment
  • Unconfined root persistence on infotainment or Autopilot
  • Remote zero-click on lower-privileged peripherals (WiFi/BT firmware, baseband)
  • Local privilege escalation from unprivileged process

Moderate ($10,000 – $20,000)

  • Unprivileged remote code execution on infotainment
  • Unconfined root on infotainment or Autopilot via ethernet
  • Unconfined root on infotainment or Autopilot via USB
  • Zero-click radio module remote code execution
  • Steam VM escape

Low ($500 – $10,000)

  • Unprivileged persistence on infotainment or Autopilot
  • Local drive authentication bypass
  • PIN-to-Drive bypass

We do not award bounties for:

  • Relay attacks
  • Hardware-based glitching and side-channel attacks
  • Confusing Autopilot by modifying the environment, such as adding lines to the road (CWE-XKCD-1958 attacks)
  • Tesla-specific known issues (e.g., publicly reported or previously reported by another researcher)
  • Chromium and/or Webkit bugs, unless chained with a full sandbox escape
  • Persistence and/or secure boot bypasses on Tegra-based infotainment systems
  • Attacks that require physical access on Tegra-based infotainment systems

Payout Factors

  • If a vulnerability affects multiple systems, e.g. shared code, bounty will be determined by the highest single amount with a bonus determined at Tesla’s discretion
  • The bounty amount may be reduced if the attack is unreliable, relies on unusual conditions being met, etc.
  • A working proof-of-concept will help ensure you receive the maximum applicable payout for your report
  • Internal duplicates that are not yet fixed will still be rewarded at a reduced amount
  • Vulnerabilities affecting Tegra-based infotainment systems are rewarded at Tesla’s discretion, along with a reduced payout
  • Superchargers and related infrastructure are out of scope

We may at our discretion award payouts for CVEs in third-party code that affect us, provided it’s an unknown risk and the report demonstrates impact.

Root access program

To promote further security research, Tesla offers security researchers the opportunity to retain root access on their infotainment system even after their reported vulnerability has been patched. In order to qualify, a researcher must send in a valid report describing a novel way to gain root access on a Tesla infotainment system. Upon confirmation, Tesla will instruct the researcher on how to use their existing root access to enable the researcher SSH feature, along with an SSH certificate for the researcher’s public key (tailored to their specific hardware ID). The certificate restricts SSH access to the local diagnostic ethernet link. Tesla may renew the certificate as long as the researcher continues reporting vulnerabilities.



Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *