Researcher Reward Program
Sharpen your skills. Get paid.
BH supports team members that go above and beyond their work to research to make the world a more secure place. This means that we will offer payouts if you find security weaknesses in your own time (even if you're also getting a payout as a bounty).
If you have a computer, you can get started with research. Check out https://www.bugcrowd.com/ and https://www.hackerone.com/ for spaces to test and collect bug bounties. It's as simple as signing up, picking a participating company, and starting to read through the documents on how their API works!
APIs with bug bounties are probably pretty well tested - you'll need to spend a lot of time to find weaknesses. However, most companies in the automotive space don't have bug bounties (or even vulnerability disclosure programs). This is great for you because you can narrow your focus to services and components in the automotive industry, a space where vulnerabilities are more likely to exist.
We highly encourage this: pick an automotive system to test. BH will purchase the equipment and give you the lab space to research this. Further, we believe that automotive systems that have a cyber-physical aspect to them are great to research because they provide incredible value in keeping passengers safe. Someone needs to research them.
BEFORE YOU START TESTING, BE FULLY AWARE OF THE LAWS AROUND YOUR TESTING. BLOCK HARBOR WILL NOT BE RESPONSIBLE IF YOU VIOLATE THE COMPUTER FRAUD AND ABUSE ACT.
A qualified vulnerability will make you eligible for a payout during the normal pay cycle. If you accept the payout, this gives BH the right to promote (and support your promotion) of addressing or sharing that vulnerability. BH will always follow the path of responsibly disclosing, but it's important to get the word out about the work that was done.
$500 for an information system vulnerability
$1000 for a cyber-physical system vulnerability.
In qualifying a vulnerability, we need impartial judges to make sure that it's a fair process. The qualification process for a vulnerability will be democratic: classified and voted on by the team.