Under Scrutiny, Big Ag Scrambles To Address Cyber Risk
At first glance, the LinkedIn post from a UK based security researcher was unremarkable: a photo of vendor swag – a hat, iron-on patch and gym bag he received as a “thank you” for participating in the company’s bug bounty program and reporting software flaws in a company’s products.
Swag from John Deere was sent as a “thank you” for submitting vulnerabilities as part of the … [+]
What was remarkable was the company logo on the swag: the distinctive yellow stag set against the bright green of agricultural equipment giant John Deere. A handwritten note to the researcher, Sai Ganesh (@ganiganeshss79), thanked him for his participation in Deere’s bug bounty program, which is hosted by the bug bounty platform HackerOne. It was signed “The John Deere Security Team.”
The Trustworthy Computing Memo Lands On The Farm
In 2021, such gestures are commonplace in the software industry. It has been 16 years since TippingPoint Technologies (now part of 3COM) launched its Zero Day Initiative – one of the first “cash for vulnerabilities” programs. In the intervening years, hundreds of firms have followed suit including giants like Microsoft, Yahoo and Facebook, as well as device makers like Samsung and car makers GM and Tesla.
Tech industry firms, in 2021, draw attention to their programs for rewarding researchers with cash – sometimes lots of it – and company swag for finding and reporting software flaws in their technology. The vulnerability disclosure market is expected to grow in value from $223m annually in 2020 to more than $5 billion by the end of the decade.
So far, however, that revolution passed over the agriculture sector, which makes Deere’s sudden about-face all the more remarkable. Despite employing more software developers than mechanical design engineers, according to its CTO, Deere – as late as March – did not have a public vulnerability disclosure program for researchers like Ganesh to partake in. On the MITRE-maintained list of Common Vulnerabilities and Exposures (CVE), the company still does not have a single, publicly disclosed software vulnerability to its…
