Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program

DJI Matrice 200 top drones

Earlier this year, the US army suspended the use of DJI drones citing security concerns. DJI scrambled to patch up its security protocols. One of the actions they took was develop a bug bounty program, which would pay developers between $100 and $30,000 for discovering and reporting security issues on DJI software platforms.

But the program has already run into murky waters. A developer claims that he was the subject of legal threats from DJI after reporting a serious security vulnerability that could expose sensitive data from users of DJI top drones.

Where Did It All Start?

Kevin Finisterre, a software engineer, sent an email to DJI reporting a major security problem with their software. Kevin, along with a group of other developers had found a private SSL key left out in the open on GitHub.

DJI Top drones bug bounty program

This key allowed them to access DJI servers where they could easily see sensitive customer data. This includes flight logs, aerial photos, passports and drivers licenses. Even more worrying was the fact that some of the data seemed to come from government and military domains.

This is not the first time that Finisterre has made headlines in regards to DJI. Earlier this year he reported a vulnerability on the DJI Go app that allowed remote backdoor access.

Then, he was met with silence from DJI.

This time round they responded but were no more helpful than before. In fact, the interaction between DJI staff and Finisterre escalated into legal threats.

Finisterre began communications with DJI as early as September 2nd. He asked for clarification on whether the bug bounty program covered server security discoveries. DJI confirmed that they were. Finisterre then submitted a detailed report of his findings.

But over the course of dozens of emails, DJI resorted to extortion and legal threats in an attempt to silence Finisterre and cover up the security problem.

DJI’s Response

For a firsthand account from Finisterre, you can read the lengthy easy (PDF) he published.

When Finisterre sent in the bug report, DJI’s immediate response was to vaguely deny that servers were part of the reward program. Shortly later however, they accepted the report and offered the full $30,000 reward.

Things were all good until a month later when DJI sent over the terms for Finisterre’s bug bounty reward. Finisterre did not agree to the terms and there was a back and forth between him and one of DJI’s staff members.

One particular restrictive condition was that Finisterre and other bug hunters could not disclose any vulnerabilities they had discovered without a written consent from DJI.

What normally happens in most bug bounty programs is that the bug hunters give companies time to patch the issue and then they release their findings to the public.

DJI essentially wanted control over whether the public knew about security issues or not even if it involved their personal data.

“I’ll certainly retain my freedom of speech in this transaction…,” Finisterre replied to DJI in regards to the ‘gag order’.

DJI’s Legal Threat

DJI Legal Threat

DJI threatened Finisterre with legal action under the Computer Fraud and Abuse Act. They claimed that he had accessed DJI servers without authorization.

Finisterre tried several more times to get friendlier bug bounty terms from DJI to no avail. Eventually, he gave up and has since disclosed his frustrating interactions with DJI.

There are reports that several other developers also walked away from the program when DJI demanded they sign a very restrictive NDA.

DJI has since released a report on its website saying;

DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users.

“As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center……

…… The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”

With the Chinese company facing more questions over the security of its software, the bug bounty program is more important than ever. But it remains to be seen whether developers and security researchers will still be willing to participate.