Bug bounty programs are a great way for tech companies to crowdsource help in securing their products – and for skilled tech experts to make some money on the side. Sadly, that’s not how things went for researcher Kevin Finisterre when he pointed out issues in DJI’s publicly shared code.
Instead of awarding him the $30,000 bounty that he had qualified for with his discovery, the Chinese drone maker dubbed him a ‘hacker’ who broke into its servers, and threatened to charge him with Computer Fraud and Abuse Act (CFAA).
In a scathing post (PDF), Finisterre explained that DJI had published the private credentials for its web domains and Amazon Web Services accounts in code in its GitHub repository for all to see; those granted him access to flight logs, images shared by DJI customers, as well as photos of people’s government-issued IDs.
After Finisterre submitted his 31-page report to DJI in September, the company informed him that he’d earned $30,000 as a reward for his work. He didn’t hear back for almost a month after that – but when he did, it was DJI handing him a restrictive contract to sign.
It included stipulations that would curtail his freedom of speech on the issue, and even bar him from exploiting any security issues he came across (which would make it impossible for him to discover and report them in the first place). Subsequently, he received a legal threat to charge with CFAA.
Finisterre acknowledges that there were several moving parts for him and people at DJI to deal with in this exchange, and that included dealing with the company’s legal team in China. Unfortunately, it played out terribly for both parties, and he walked away from the bug bounty program entirely as a result, and hasn’t heard from DJI since.
It’ll be a marvel if DJI can get others to participate in its program after this, and that’s not the way things should be. If anything, the incident should serve as a lesson to companies running bug bounty programs that they should consider how they handle reports, starting with accepting submissions to ending with payouts and managing legal protections and correspondence.
You can read Finisterre’s entire account of how things went down with DJI over on this page (PDF).
We’ve contacted DJI to learn more and will update this post if there’s a response.