{"id":2139,"date":"2017-11-21T11:26:26","date_gmt":"2017-11-21T11:26:26","guid":{"rendered":"http:\/\/bestdroneforthejob.com\/?p=2139"},"modified":"2019-02-16T19:57:25","modified_gmt":"2019-02-16T19:57:25","slug":"dji-bug-bounty-threats","status":"publish","type":"post","link":"https:\/\/bestdroneforthejob.com\/blog\/dji-bug-bounty-threats\/","title":{"rendered":"Developer Declines $30,000 Bounty After Legal Threats from DJI Over Bug Bounty Program"},"content":{"rendered":"
Earlier this year, the US army suspended <\/a>the use of DJI drones citing security concerns. DJI scrambled to patch up its security protocols. One of the actions they took was develop a bug bounty program<\/a>, which would pay developers between $100 and $30,000 for discovering and reporting security issues on DJI software platforms. <\/p>\n But the program has already run into murky waters. A developer claims that he was the subject of legal threats from DJI after reporting a serious security vulnerability that could expose sensitive data from users of DJI top drones. <\/p>\n Kevin Finisterre, a software engineer, sent an email to DJI reporting a major security problem with their software. Kevin, along with a group of other developers had found a private SSL key left out in the open on GitHub.<\/p>\n <\/p>\n This key allowed them to access DJI servers where they could easily see sensitive customer data. This includes flight logs, aerial photos, passports and drivers licenses. Even more worrying was the fact that some of the data seemed to come from government and military domains. <\/p>\n This is not the first time that Finisterre has made headlines in regards to DJI. Earlier this year he reported a vulnerability<\/a> on the DJI Go app that allowed remote backdoor access. <\/p>\n Then, he was met with silence from DJI. <\/p>\n This time round they responded but were no more helpful than before. In fact, the interaction between DJI staff and Finisterre escalated into legal threats. <\/p>\n Finisterre began communications with DJI as early as September 2nd. He asked for clarification on whether the bug bounty program covered server security discoveries. DJI confirmed that they were. Finisterre then submitted a detailed report of his findings. <\/p>\n But over the course of dozens of emails, DJI resorted to extortion and legal threats in an attempt to silence Finisterre and cover up the security problem. <\/p>\nWhere Did It All Start?<\/h2>\n
DJI\u2019s Response<\/h2>\n