{"id":2139,"date":"2017-11-21T11:26:26","date_gmt":"2017-11-21T11:26:26","guid":{"rendered":"http:\/\/bestdroneforthejob.com\/?p=2139"},"modified":"2019-02-16T19:57:25","modified_gmt":"2019-02-16T19:57:25","slug":"dji-bug-bounty-threats","status":"publish","type":"post","link":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/","title":{"rendered":"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program"},"content":{"rendered":"<p>Earlier this year, the US army <a href=\"http:\/\/www.bbc.com\/news\/technology-40935860\">suspended <\/a>the use of DJI drones citing security concerns. DJI scrambled to patch up its security protocols. One of the actions they took was develop a <a href=\"https:\/\/www.dji.com\/newsroom\/news\/dji-to-offer-bug-bounty-rewards-for-reporting-software-issues\">bug bounty program<\/a>, which would pay developers between $100 and $30,000 for discovering and reporting security issues on DJI software platforms.  <\/p>\n<p>But the program has already run into murky waters. A developer claims that he was the subject of legal threats from DJI after reporting a serious security vulnerability that could expose sensitive data from users of DJI top drones. <\/p>\n<h2>Where Did It All Start?<\/h2>\n<p>Kevin Finisterre, a software engineer, sent an email to DJI reporting a major security problem with their software. Kevin, along with a group of other developers had found a private SSL key left out in the open on GitHub.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/11\/DJI-Top-drones-bug-bounty-program-800x423.jpg\" alt=\"DJI Top drones bug bounty program\" width=\"800\" height=\"423\" class=\"alignnone size-medium wp-image-2140\" srcset=\"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/11\/DJI-Top-drones-bug-bounty-program-800x423.jpg 800w, https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/11\/DJI-Top-drones-bug-bounty-program-510x270.jpg 510w, https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/11\/DJI-Top-drones-bug-bounty-program-768x406.jpg 768w, https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/11\/DJI-Top-drones-bug-bounty-program.jpg 875w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p>This key allowed them to access DJI servers where they could easily see sensitive customer data. This includes flight logs, aerial photos, passports and drivers licenses. Even more worrying was the fact that some of the data seemed to come from government and military domains. <\/p>\n<p>This is not the first time that Finisterre has made headlines in regards to DJI. Earlier this year he <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2017-08-28\/drone-king-dji-has-a-serious-pentagon-problem\">reported a vulnerability<\/a> on the DJI Go app that allowed remote backdoor access. <\/p>\n<p>Then, he was met with silence from DJI. <\/p>\n<p>This time round they responded but were no more helpful than before. In fact, the interaction between DJI staff and Finisterre escalated into legal threats. <\/p>\n<p>Finisterre began communications with DJI as early as September 2nd. He asked for clarification on whether the bug bounty program covered server security discoveries. DJI confirmed that they were. Finisterre then submitted a detailed report of his findings. <\/p>\n<p>But over the course of dozens of emails, DJI resorted to extortion and legal threats in an attempt to silence Finisterre and cover up the security problem. <\/p>\n<h2>DJI\u2019s Response<\/h2>\n<p>For a firsthand account from Finisterre, you can read the <a href=\"https:\/\/regmedia.co.uk\/2017\/11\/16\/whyiwalkedfrom3k.pdf\">lengthy easy<\/a> (PDF) he published.  <\/p>\n<p>When Finisterre sent in the bug report, DJI\u2019s immediate response was to vaguely deny that servers were part of the reward program. Shortly later however, they accepted the report and offered the full $30,000 reward. <\/p>\n<p>Things were all good until a month later when DJI sent over the terms for Finisterre\u2019s bug bounty reward. Finisterre did not agree to the terms and there was a back and forth between him and one of DJI\u2019s staff members. <\/p>\n<p>One particular restrictive condition was that Finisterre and other bug hunters could not disclose any vulnerabilities they had discovered without a written consent from DJI.     <\/p>\n<p>What normally happens in most bug bounty programs is that the bug hunters give companies time to patch the issue and then they release their findings to the public. <\/p>\n<p>DJI essentially wanted control over whether the public knew about security issues or not even if it involved their personal data. <\/p>\n<p>\u201cI\u2019ll certainly retain my freedom of speech in this transaction\u2026,\u201d Finisterre replied to DJI in regards to the \u2018gag order\u2019. <\/p>\n<h2>DJI\u2019s Legal Threat<\/h2>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/11\/DJI-Legal-threat.png\" alt=\"DJI Legal Threat\" width=\"629\" height=\"582\" class=\"alignnone size-full wp-image-2141\" srcset=\"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/11\/DJI-Legal-threat.png 629w, https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/11\/DJI-Legal-threat-510x472.png 510w\" sizes=\"(max-width: 629px) 100vw, 629px\" \/><\/p>\n<p>DJI threatened Finisterre with legal action under the Computer Fraud and Abuse Act. They claimed that he had accessed DJI servers without authorization. <\/p>\n<p>Finisterre tried several more times to get friendlier bug bounty terms from DJI to no avail. Eventually, he gave up and has since disclosed his frustrating interactions with DJI. <\/p>\n<p>There are reports that several other developers also walked away from the program when DJI demanded they sign a very restrictive NDA.   <\/p>\n<p>DJI has since released a report on its website saying; <\/p>\n<blockquote><p>\nDJI is investigating the reported unauthorized access of one of DJI\u2019s servers containing personal information submitted by our users.<\/p>\n<p>\u201cAs part of its commitment to customers\u2019 data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a \u201cbug bounty\u201d from the DJI Security Response Center\u2026\u2026<\/p>\n<p>\u2026\u2026 The hacker in question refused to agree to these terms, despite DJI\u2019s continued attempts to negotiate with him, and threatened DJI if his terms were not met.\u201d\n<\/p><\/blockquote>\n<p>With the Chinese company facing more questions over the security of its software, the bug bounty program is more important than ever. But it remains to be seen whether developers and security researchers will still be willing to participate. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Earlier this year, the US army suspended the use of DJI drones citing security concerns. DJI scrambled to patch up its security protocols. One of the actions they took was develop a bug bounty program, which would pay developers between $100 and $30,000 for discovering and reporting security issues on DJI software platforms. But the [&#8230;]\n","protected":false},"author":1,"featured_media":1873,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0},"categories":[252],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.8.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program<\/title>\n<meta name=\"description\" content=\"The maker of top drones, DJI, has been caught in a row with a developer claiming he was threatened with legal action after reporting a security exposure.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program\" \/>\n<meta property=\"og:description\" content=\"The maker of top drones, DJI, has been caught in a row with a developer claiming he was threatened with legal action after reporting a security exposure.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/\" \/>\n<meta property=\"og:site_name\" content=\"Best Drone for the Job\" \/>\n<meta property=\"article:published_time\" content=\"2017-11-21T11:26:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-02-16T19:57:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/07\/dji.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"900\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Andrew Nixon\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program\" \/>\n<meta name=\"twitter:description\" content=\"The maker of top drones, DJI, has been caught in a row with a developer claiming he was threatened with legal action after reporting a security exposure.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/07\/dji.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Andrew Nixon\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/\"},\"author\":{\"name\":\"Andrew Nixon\",\"@id\":\"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/4cbad6492970f7def6462b4bd3c2c4a6\"},\"headline\":\"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program\",\"datePublished\":\"2017-11-21T11:26:26+00:00\",\"dateModified\":\"2019-02-16T19:57:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/\"},\"wordCount\":749,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/4cbad6492970f7def6462b4bd3c2c4a6\"},\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/\",\"url\":\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/\",\"name\":\"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program\",\"isPartOf\":{\"@id\":\"https:\/\/bestdroneforthejob.com\/#website\"},\"datePublished\":\"2017-11-21T11:26:26+00:00\",\"dateModified\":\"2019-02-16T19:57:25+00:00\",\"description\":\"The maker of top drones, DJI, has been caught in a row with a developer claiming he was threatened with legal action after reporting a security exposure.\",\"breadcrumb\":{\"@id\":\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/bestdroneforthejob.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/bestdroneforthejob.com\/#website\",\"url\":\"https:\/\/bestdroneforthejob.com\/\",\"name\":\"Best Drone for the Job\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/4cbad6492970f7def6462b4bd3c2c4a6\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/bestdroneforthejob.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/4cbad6492970f7def6462b4bd3c2c4a6\",\"name\":\"Andrew Nixon\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2015\/06\/Andrew-Nixon-original-photo.jpeg\",\"contentUrl\":\"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2015\/06\/Andrew-Nixon-original-photo.jpeg\",\"width\":633,\"height\":419,\"caption\":\"Andrew Nixon\"},\"logo\":{\"@id\":\"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/image\/\"},\"description\":\"Avid drone\/UAV enthusiast for many years. By day, I design websites and mobile apps.\",\"sameAs\":[\"http:\/\/BestDroneForTheJob.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program","description":"The maker of top drones, DJI, has been caught in a row with a developer claiming he was threatened with legal action after reporting a security exposure.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/","og_locale":"en_US","og_type":"article","og_title":"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program","og_description":"The maker of top drones, DJI, has been caught in a row with a developer claiming he was threatened with legal action after reporting a security exposure.","og_url":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/","og_site_name":"Best Drone for the Job","article_published_time":"2017-11-21T11:26:26+00:00","article_modified_time":"2019-02-16T19:57:25+00:00","og_image":[{"width":900,"height":600,"url":"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/07\/dji.jpg","type":"image\/jpeg"}],"author":"Andrew Nixon","twitter_card":"summary_large_image","twitter_title":"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program","twitter_description":"The maker of top drones, DJI, has been caught in a row with a developer claiming he was threatened with legal action after reporting a security exposure.","twitter_image":"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2017\/07\/dji.jpg","twitter_misc":{"Written by":"Andrew Nixon","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/#article","isPartOf":{"@id":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/"},"author":{"name":"Andrew Nixon","@id":"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/4cbad6492970f7def6462b4bd3c2c4a6"},"headline":"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program","datePublished":"2017-11-21T11:26:26+00:00","dateModified":"2019-02-16T19:57:25+00:00","mainEntityOfPage":{"@id":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/"},"wordCount":749,"commentCount":0,"publisher":{"@id":"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/4cbad6492970f7def6462b4bd3c2c4a6"},"articleSection":["Blog"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/","url":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/","name":"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program","isPartOf":{"@id":"https:\/\/bestdroneforthejob.com\/#website"},"datePublished":"2017-11-21T11:26:26+00:00","dateModified":"2019-02-16T19:57:25+00:00","description":"The maker of top drones, DJI, has been caught in a row with a developer claiming he was threatened with legal action after reporting a security exposure.","breadcrumb":{"@id":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bestdroneforthejob.com\/"},{"@type":"ListItem","position":2,"name":"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program"}]},{"@type":"WebSite","@id":"https:\/\/bestdroneforthejob.com\/#website","url":"https:\/\/bestdroneforthejob.com\/","name":"Best Drone for the Job","description":"","publisher":{"@id":"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/4cbad6492970f7def6462b4bd3c2c4a6"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bestdroneforthejob.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/4cbad6492970f7def6462b4bd3c2c4a6","name":"Andrew Nixon","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/image\/","url":"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2015\/06\/Andrew-Nixon-original-photo.jpeg","contentUrl":"https:\/\/bestdroneforthejob.com\/wp-content\/uploads\/2015\/06\/Andrew-Nixon-original-photo.jpeg","width":633,"height":419,"caption":"Andrew Nixon"},"logo":{"@id":"https:\/\/bestdroneforthejob.com\/#\/schema\/person\/image\/"},"description":"Avid drone\/UAV enthusiast for many years. By day, I design websites and mobile apps.","sameAs":["http:\/\/BestDroneForTheJob.com"]}]}},"_links":{"self":[{"href":"https:\/\/bestdroneforthejob.com\/wp-json\/wp\/v2\/posts\/2139"}],"collection":[{"href":"https:\/\/bestdroneforthejob.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bestdroneforthejob.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bestdroneforthejob.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bestdroneforthejob.com\/wp-json\/wp\/v2\/comments?post=2139"}],"version-history":[{"count":0,"href":"https:\/\/bestdroneforthejob.com\/wp-json\/wp\/v2\/posts\/2139\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bestdroneforthejob.com\/wp-json\/wp\/v2\/media\/1873"}],"wp:attachment":[{"href":"https:\/\/bestdroneforthejob.com\/wp-json\/wp\/v2\/media?parent=2139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bestdroneforthejob.com\/wp-json\/wp\/v2\/categories?post=2139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bestdroneforthejob.com\/wp-json\/wp\/v2\/tags?post=2139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}