Yet this person did the right thing anyway and reported the vulnerability responsibly. So seemingly the level of the bounty was reasonable enough that it worked as intended, and a much higher bounty would have been a waste of money for Tesla.
I think the high likelihood of being caught and going to prison is also already a pretty big deterrent for people. Just think of all the challenges of actually pulling a hack like this off without being caught. For one thing, just the poking around that led to the discovery of the vulnerability has probably already logged a bunch of potentially suspicious activity linked to this guy's VIN number. So even if he sold it to someone else who did the hack he could probably be caught already. If he tried to orchestrate the hack himself, not only does he need to not be caught directly, but he'd also have to make a very large, very suspicious short trade right before the hack without it being traced back to him. Plus there's always a possibility that Tesla would have been able to lock him out quickly anyway or had some other kind of rate-limiting or other measures in place to prevent significant damage, or that even if he pulled off the hack perfectly the stock price wouldn't drop as much as expected.
> So seemingly the level of the bounty was reasonable enough that it worked as intended, and a much higher bounty would have been a waste of money for Tesla.
I think it's more likely that the person who reported the vulnerability would have done the right thing regardless of any bounty.
What would be the legality of sharing the hack publicly and allowing someone else to exploit it while shorting the stock?
I also wonder when something becomes a "hack". Some systems are so insecure you can almost accidentally exploit them. In this case the API just required an ID for access. How would someone know if that was by design, or a mistake?
As soon as you access something you're not supposed to. If a house is left unlocked and you walk in and take a look around, you're trespassing and it's a crime. And of course if you cause any damage or steal something, that's an even bigger crime.
Except with hacking, the punishments can be even more severe relative to the actual crime committed, because almost nobody in the legal system will understand the details of what happened so they can make you seem as dangerous as they want. Just look at Aaron Swartz and countless other examples of the heavy charges that have been given out for very minor, borderline cases of "hacking".
I think the high likelihood of being caught and going to prison is also already a pretty big deterrent for people. Just think of all the challenges of actually pulling a hack like this off without being caught. For one thing, just the poking around that led to the discovery of the vulnerability has probably already logged a bunch of potentially suspicious activity linked to this guy's VIN number. So even if he sold it to someone else who did the hack he could probably be caught already. If he tried to orchestrate the hack himself, not only does he need to not be caught directly, but he'd also have to make a very large, very suspicious short trade right before the hack without it being traced back to him. Plus there's always a possibility that Tesla would have been able to lock him out quickly anyway or had some other kind of rate-limiting or other measures in place to prevent significant damage, or that even if he pulled off the hack perfectly the stock price wouldn't drop as much as expected.