Popular tech companies have been offering incentives for the public to report security weaknesses discovered within their infrastructure rather than exploit them. Many offer a monetary reward as part of a bug bounty program, and are allowed to publish their findings after the tech company has had time to fix the security lapse.
Chinese Drone maker DJI launched its bug bounty program in late August and has already accused a cybersecurity researcher of refusing to agree to the program’s terms “which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed.” The researcher, Kevin Finisterre, claims he gained access to DJI’s confidential customer data after finding DJI’s SSL certificates and firmware AES encryption keys publicly posted on Github. The keys provided access to DJI servers which stored “unencrypted flight logs, passports, drivers license and identification cards”, some belonging to government and military entities. DJI manufactures the Phantom brand of consumer quadcopter drones- which are often used by military and government entities around the world. Earlier this year, Global Security Wire reported that the U.S. Army ordered units to stop using consumer drones developed by DJI due to security lapses and DJI’s ability to access drone data remotely.
In exchange for information on the released encryption keys, Finisterre claims DJI offered him a $30,000 bounty, the company’s highest reward, and asked him to sign a non-disclosure agreement, which would prevent him from publicly discussing his findings without written consent from DJI, terms Finisterre believes “posed a direct conflict of interest to many things including my freedom of speech.” DJI also refused to offer Finisterre any protection against future legal action, reserving its right of action under the Computer Fraud and Abuse Act, which prohibits accessing a computer without authorization, or in excess of authorization. Finisterre rejected DJI’s offer and soon published his email correspondence with the company. DJI has since launched its official bug bounty program website and made its terms available.
“Despite all of the progress we’ve made over the last 4 years, it’s still relatively novel for organizations to partner with the research community through a bug bounty. It’s not uncommon for organizations who launch without preparation to become overwhelmed by the sheer number of high impact issues — which appears to be a significant part of the problem here,” Jonathan Cran, VP of product at Bugcrowd, a bug bounty platform, told The Verge.
“We would recommend DJI fix the issues as soon as possible and not pursue legal action. Based on the information we have today, this appears to be a misunderstanding and not malicious in its intent,” Cran says. “Bug bounties deliver extremely high quality results at unparalleled cost — but as we emphasize to our customers, you need a partner.”