With concerns around generative AI ever-present, Google has announced an expansion of its Vulnerability Rewards Program (VRP) focused on AI-specific attacks and opportunities for malice. As such, the company released updated guidelines detailing which discoveries qualify for rewards and which fall out of scope. For example, discovering training data extraction that leaks private, sensitive information falls in scope, but if it only shows public, nonsensitive data, then it wouldn't qualify for a reward. Last year, Google gave security researchers $12 million for bug discoveries. Google explained that AI presents different security issues than their other technology -- such as model manipulation and unfair bias -- requiring new guidance to mirror this.

OpenAI is turning to the public to find bugs in ChatGPT, announcing a "Bug Bounty Program" to reward people who report any security flaws, vulnerabilities or other issues within the AI system. The bounty is open to anyone from actual researchers to general people who just like exploring technology. Rewards come in the form of cash prizes with "low-severity findings" starting at $200 and "exceptional discoveries" going all the way up to $20,000. Bugcrowd, a bug bounty platform, is handling submissions and payouts. Google and Apple are among the tech companies that have previously implemented bug bounty programs.

Predicting the impact of advances in technology may be a fool's errand but it is a necessary one nonetheless to help try to guide research and funding toward efforts that benefit defense more than offense. For this paper, we try to mathematically model the impact of further advancement in several critical aspects of cybersecurity. Perhaps more importantly than any of the forewarnings or funding recommendations we come to, this approach strives to sharpen debates about AI's impact on cybersecurity. This is the companion paper for a separate report, published by CSET and titled, "Will AI Make Cyber Swords or Shields," illustrating the value of rigor in policy discussions about technological advancement. There is too much uncertainty to believe that the math gives precise projections, but it forces us to be precise in our assumptions. Reasonable people may disagree with the range of values we choose as inputs or even the models we use. We welcome those disagreements and hope they advance our collective understanding of how AI may change the future of cybersecurity. Following this introduction, we proceed with separate analysis from three areas of cybersecurity: 1) phishing, 2) vulnerability discovery, then 3) the dynamics between patching and exploitation.

When it comes to detecting bias in algorithms, researchers are trying to learn from the information security field – and particularly, from the bug bounty-hunting hackers who comb through software code to identify potential security vulnerabilities. The parallels between the work of these security researchers and the hunt for possible flaws in AI models, in fact, is at the heart of the work carried out by Deborah Raji, a research fellow in algorithmic harms for the Mozilla Foundation. Presenting the research she has been carrying out with advocacy group the Algorithmic Justice League (AJL) during the annual Mozilla Festival, Raji explained how along with her team, she has been studying bug bounty programs to see how they could be applied to the detection of a different type of nuisance: algorithmic bias. SEE: An IT pro's guide to robotic process automation (free PDF) (TechRepublic) Bug bounties, which reward hackers for discovering vulnerabilities in software code before malicious actors exploit them, have become an integral part of the information security field. Major companies such as Google, Facebook or Microsoft now all run bug bounty programs; the number of these hackers is multiplying, and so are the financial rewards that corporations are ready to pay to fix software problems before malicious hackers find them.

Tin foil is one way to keep modern car key fobs safe from creative thieves. Kim Komando explains the technology -- and how to keep them safe. In March, a Tesla Model 3 was hacked. The duo responsible for uncovering the vulnerability accessed the car's web browser, executed code on its firmware and displayed a message on the infotainment system before making off with the Model 3 and $375,000. The hackers didn't remotely take total control of the car or wreak havoc on its door locks or brakes while an innocent driver sat inside.

DJI makes some of the most popular quadcopters on the market, but its products have repeatedly drawn scrutiny from the United States government over privacy and security concerns. Most recently, the Department of Defense in May banned the purchase of consumer drones made by a handful of vendors, including DJI. Now DJI has patched a problematic vulnerability in its cloud infrastructure that could have allowed an attacker to take over users' accounts and access private data like photos and videos taken during drone flights, a user's personal account information, and flight logs that include location data. A hacker could have even potentially accessed real-time drone location and a live camera feed during a flight. The security firm Check Point discovered the issue and reported it in March through DJI's bug bounty program.

Facebook pays millions of dollars every year to researchers and bug hunters to stamp out security holes in its products and infrastructure, but following Cambridge Analytica scandal, the company today launched a bounty program to reward users for reporting "data abuse" on its platform. The move comes as Facebook CEO Mark Zuckerberg prepares to testify before Congress this week amid scrutiny over the data sharing controversy surrounding Cambridge Analytica, a political consultancy firm that obtained and misused data on potentially 87 million of its users. Through its new "Data Abuse Bounty" program, Facebook would ask users to help the social media giant find app developers misusing data, Facebook announced Tuesday. Similar to its existing bug bounty program, the Data Abuse Bounty program will reward a sum of money to anyone who reports valid events of data collection that violate Facebook's revamped data policies. "This program is complementary to our existing bug bounty program in that it'follows the data' even if the root cause isn't a security flaw in Facebook's code," the company explains.

Fiat Chrysler Automobiles has launched a bug bounty program to attract white-hat hackers to spot out cybersecurity flaws in its products and connected services. The program is focused on FCA's connected vehicles, including systems within them and external services and applications that link to them. The move follows the remote hack and control of a Jeep Cherokee, one of the company's products, by security researchers. That breach led to the recall of 1.4 million vehicles last year. Fiat Chrysler is also moving quite aggressively in the area of autonomous vehicles, announcing earlier this year the joint development of self-driven minivans with Alphabet's Google Self-Driving Car Project.