In August, DJI announced that it was launching a bug bounty program that would give out rewards to people who could find flaws in its software. The company said it would pay between $100 and $30,000 depending on the flaw. But according to an essay written by security researcher Kevin Finisterre, and reported by the Verge, the program isn't off to a great start.
In his write-up, Finisterre describes his interactions with DJI before and after he reported some pretty significant problems with the drone-maker's security. Before getting too deep into it, he checked with DJI to see if their servers were included in the scope of the bug bounty program and though it took a while for DJI to respond, it did eventually confirm that servers were on the table. After quite a bit of digging, Finisterre put together a 31-page report that detailed what he and his colleagues had found. That included the private key to DJI's SSL certificate, which had been leaked on GitHub, allowing Finisterre to see a pile of customer data stored on DJI's servers.
Finisterre turned in his report and DJI eventually said that the information warranted a $30,000 reward. But what followed was a series of negotiations over the terms of the deal, largely focused on what Finisterre could or couldn't say about the situation. After a number of lawyers told him that the agreement was risky at best -- and as Finisterre puts it, "likely crafted in bad faith to silence anyone that signed it," -- and after being sent a letter stating that he had no authority to access DJI servers and the company was therefore reserving its right of action under the Computer Fraud and Abuse Act, Finisterre abandoned the deal.
These types of programs are used by a number of companies including Samsung, Apple, Twitter, Facebook and even dark net black markets. But for them to work, they really need to lay out their terms from the get go. DJI has now created a website that provides more information on its bounty program but that wasn't available when they announced it in August.
DJI has released a statement about the situation. "DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed," the company said. "The hacker in question refused to agree to these terms, despite DJI's continued attempts to negotiate with him, and threatened DJI if his terms were not met." You can read the full statement here.