DJI launched a bug bounty program last August with the ambition of partnering up with researchers so they could identify security vulnerabilities and fix them. DJI would compensate researchers up to $30,000 for finding bugs DJI considered vulnerabilities.
It seemed like a sound plan, since places like Google, Microsoft and Yahoo currently use similar kinds programs to regulate their security, however, DJI’s bug programs are already running into problems. Kevin Finisterre, one of the security researchers working to detect bugs in DJI’s security, has published an essay about his unpleasant experience working with DJI on their bug bounty program.
The story is Finisterre, and a few other hackers he was working with, discovered a big flaw in DJI’s web security. To DJI’s mistake, they accidentally published the private key to their SSL certificate on GitHub. The group was able to obtain the private key and get access to personal customer information stored on DJI’s servers. Finisterre reported the problem to DJI and they confirmed it to be within the scope of their bug bounty program, offering Finisterre a $30,000 bounty.
Seems like it would be a fair deal for Finisterre. In fact, it was fair until DJI asked him to not publicly discuss any details regarding the work he had just done for them and to not disclose the fact that he had done security for them. At DJI’s request, Finisterre haggled with DJI over the contract, because getting public recognition for his work was just as important as the $30,000 dollar reward, if not more important. DJI’s legal team eventually sent Finisterre a letter that referenced the Computer Fraud and Abuse Act; Finisterre didn’t take kindly to the letter and saw it as a threat. In response, he decided to go public with the experience he had with DJI's bug bounty program.
Now there are companies with bug bounty programs that strictly demand that researchers do not disclose any information about the bounty, like Apple and United Airlines. But they make this very clear at the get-go and they usually give their researchers a little bit of public credit.
It’s been noted that DJI’s bug bounty program seemed rushed and they probably weren’t ready for the number of high impact issues that were going to be sent to them.
“Despite all of the progress we’ve made over the last 4 years, it’s still relatively novel for organizations to partner with the research community through a bug bounty. It’s not uncommon for organizations who launch without preparation to become overwhelmed by the sheer number of high impact issues — which appears to be a significant part of the problem here,” says Jonathan Cran, the VP of operations at BugCrowd, a bug bounty platform.
“We would recommend DJI fix the issues as soon as possible and not pursue legal action. Based on the information we have today, this appears to be a misunderstanding and not malicious in its intent,” Cran says. “Bug bounties deliver extremely high-quality results at unparalleled cost — but as we emphasize to our customers, you need a partner.”
Since Finisterre released his experience to the public, DJI has introduced an official website for its bug bounty program, now making terms and conditions of the program very clear. Hopefully, DJI can work out the kinks in its bounty program and make it beneficial for both them and researchers like Finisterre.