Bug bounty programs are a great way for tech companies to crowdsource help in securing their products – and for skilled tech experts to make some money on the side. Sadly, that’s not how things went for researcher Kevin Finisterre when he pointed out issues in DJI’s publicly shared code.
Instead of awarding him the $30,000 bounty that he had qualified for with his discovery, the Chinese drone maker dubbed him a ‘hacker’ who broke into its servers, and threatened to charge him with Computer Fraud and Abuse Act (CFAA).
In a scathing post (PDF), Finisterre explained that DJI had published the private credentials for its web domains and Amazon Web Services accounts in code in its GitHub repository for all to see; those granted him access to flight logs, images shared by DJI customers, as well as photos of people’s government-issued IDs.
After Finisterre submitted his 31-page report to DJI in September, the company informed him that he’d earned $30,000 as a reward for his work. He didn’t hear back for almost a month after that – but when he did, it was DJI handing him a restrictive contract to sign.
It included stipulations that would curtail his freedom of speech on the issue, and even bar him from exploiting any security issues he came across (which would make it impossible for him to discover and report them in the first place). Subsequently, he received a legal threat to charge with CFAA.
Finisterre acknowledges that there were several moving parts for him and people at DJI to deal with in this exchange, and that included dealing with the company’s legal team in China. Unfortunately, it played out terribly for both parties, and he walked away from the bug bounty program entirely as a result, and hasn’t heard from DJI since.
It’ll be a marvel if DJI can get others to participate in its program after this, and that’s not the way things should be. If anything, the incident should serve as a lesson to companies running bug bounty programs that they should consider how they handle reports, starting with accepting submissions to ending with payouts and managing legal protections and correspondence.
You can read Finisterre’s entire account of how things went down with DJI over on this page (PDF).
Update (22 November, 2017): DJI explained its stance in a statement to TNW:
DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed.
While we did warn Kevin Finisterre with a draft letter from our legal department about the unauthorized use of the data he found on our server, we continued negotiating with Kevin in good faith to agree on standard terms. After several weeks of further negotiations, he refused to agree to the terms that we mutually set out, and he was the one who walked away from the table.
Responsibly reporting a vulnerability to DJI is how we intend to work with security researchers. We take data security seriously, and will continue to improve our products based on what researchers discover and disclose issues that may affect the security of DJI user data and DJI’s products. We have already paid out close to a dozen researchers who have agreed to the terms and conditions and submitted reports to our Security Response Center.