Tesla recently added to its responsible disclosure guidelines with clarifications that welcome researchers to probe software in its cars for security bugs.
Well-known for its security-aware attitude, the company is now spelling it out to security researchers that they can hack Tesla cars without fear of ending up with a non-running automobile, of voiding the warranty, or of legal liability.
There are some conditions, though. Both the security expert and the vehicle must be registered and approved for carrying security tests as part of the company's vulnerability reporting program, and the effort must be in good faith.
If these requirements are met, Tesla will offer over-the-air (OTA) assistance to researchers that need their research-registered car to be updated.
Reflashing the car's firmware is possible at service centers using Tesla standard tools, or through other appropriate methods.
Tesla makes it explicit that its goodwill is not to be abused, reserving the right to cap the request for assistance to a limited number of times. Also, researchers should not expect the car maker to cover out-of-pocket expenses, such as towing the vehicle to the service center.
All researchers and cars that have been approved in the vulnerability report program are safe from any legal charges under the Computer Fraud and Abuse Act (CFAA).
As for the Digital Millenium Copyright Act (DMCA), Tesla won't bring copyright infringement claims against pre-approved researchers that circumvent the car's security mechanism, if they do not access any other code or binaries.
The reason for these clarifications is that security researchers and car manufacturers don't always see eye to eye when it comes to testing digital defenses.
In 2013, a group of researchers was prevented through a court order from disclosing a serious weakness in the Megamos Crypto transponder used in anti-theft devices present in keyless cars. The flaw allowed an attacker to unlock the car and start the engine.
Volkswagen had implemented this solution in millions of cars, including luxury brands like Porsche, Audi, Bentley, and Lamborghini.
Because the researchers reverse-engineered proprietary security mechanisms, Volkswagen was able to sue the researchers and keep their work unpublished for two years. They presented it at the USENIX security conference in 2015.
Tesla obviously sees things differently and appreciates any contribution that makes its products more secure.
"If you are the first researcher to report a confirmed vulnerability, we will list your name in our Hall of Fame (unless you would prefer to remain anonymous). You may also be considered for an award if you are the first researcher to report one of the top 3 confirmed vulnerabilities in a calendar quarter," the company says.