A participant of DJI’s recently introduced bug bounty program, an initiative rewarding those who discover issues that could affect the security of DJI’s drone software, has released a detailed story of his personal debacle with the program, which he says he walked away from due to the “rabbit hole” he ended up getting into.
In an 18-page report, Kevin Finisterre – who DJI, in its own statement in response to the report, refers to as a hacker – explains, “Why I walked away from $30,000 of DJI bounty money.”
In August, not long after the company came under fire by the U.S. Army, which said it would “halt use of all DJI products” due to “increased awareness of cyber vulnerabilities,” DJI announced its new bug bounty program, which would reward $100-$30,000 for researchers who find and share DJI software issues that could compromise users’ data security or affect flight safety.
Finisterre says DJI’s press release explaining the program “left a lot to be desired with regard to defined boundaries,” so he reached out to the company to ask for clarification regarding finding issues with servers. In the two weeks he waited for a response, Finisterre claims he was able to uncover server data such as “unencrypted flight logs, passports, drivers licenses and identification cards” of users, thanks to leaked SSL keys on GitHub.
DJI did, indeed, respond that “servers, including source code leak,” were part of the bug bounty program, and Finisterre says he submitted his report to the company, which later confirmed that he would be receiving the top reward of $30,000. However, Finisterre says he later received an agreement that “did not offer [bug bounty] researchers any sort of protection” and that “was likely crafted in bad faith to silence anyone that signed it,” thus imposing on his freedom of speech, he explains. Finisterre also says DJI notified him of the company’s “right of action under the Computer Fraud and Abuse Act.” In turn, Finisterre says he ended up walking away from the bug bounty program.
On DJI’s side, the company released a statement claiming “unauthorized access” on one of its servers by “a hacker who … posted online his confidential communications with DJI employees about his attempts to claim a ‘bug bounty’ from the DJI Security Response Center.” DJI says it has since hired a cyber security firm to “investigate this report and the impact of any unauthorized access to that data.”
“DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities,” the company continued. “DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”
The company added, “DJI takes data security extremely seriously and will continue to improve its products thanks to researchers who responsibly discover and disclose issues that may affect the security of DJI user data and DJI’s products. DJI has paid thousands of dollars to almost a dozen researchers who have submitted reports to the Security Response Center and agreed to the terms for payment. As the Security Response Center receives new reports, DJI regularly agrees to pay new bounties to researchers for their discoveries.”
The company then points to its newly unveiled DJI Security Response Center website, which now offers a lengthy resource for the rules of the bug bounty program. The rules note that DJI “reserves the right to modify or discontinue this program at any time” and that DJI “in its sole discretion will decide when and how, and to what extent of details, to disclose to the public the bugs/vulnerabilities reported by you.”