Drone-Maker DJI Offers Bug Bounty Program, Then Threatens Bug-Finder With The CFAA
from the that's-a-shitty-bounty dept
Far too many companies and industries out there seem to think that the best way to handle a security researcher finding security holes in their tech and websites is to immediately begin issuing threats. This is almost always monumentally dumb for any number of reasons, ranging from the work these researchers do actually being a benefit to these companies issuing the threats, to the resulting coverage of the threats making the vulnerabilities more widely known than they would have been otherwise.
But drone-maker DJI gets special marks for attacking security researchers, having decided to turn on one that was working within the bug-bounty program it had set up.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the “wildcard” certificate for all the company’s Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI’s systems under DJI’s bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company’s “final offer” for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, “Why I walked away from $30,000 of DJI bounty money.”
Finisterre helpfully documented his interactions with several DJI employees, all of which paint a pretty clear picture of a company that encouraged his work in finding exposed data and insecure public-facing websites. So appreciative was DJI, in fact, that Finisterre won the top prize for its bug-bounty program: $30,000. That prize came for Finisterre’s discovery that DJI’s SSL certificates and firmware encryption keys had been exposed via GitHub for years. After receiving written confirmation from DJI that its servers were within the scope of the bounty program, Finisterre submitted his disclosure report.
That’s when things got weird.
When Finisterre submitted his full report on the exposure to the bug bounty program, he received an e-mail from DJI’s Brendan Schulman that said the company’s servers were suddenly not in scope for the bounty program. Still, Finisterre received notification from DJI’s bug bounty program e-mail account on September 28 that his report earned the top reward for the program—$30,000 in cash. Then, Finisterre heard nothing for nearly a month.
Ultimately, Finisterre received an e-mail containing an agreement contract that he said “did not offer researchers any sort of protection. For me personally, the wording put my right to work at risk, and posed a direct conflict of interest to many things including my freedom of speech.” It seemed clear to Finisterre that “the entire ‘Bug Bounty’ program was rushed based on this alone,” he wrote.
He goes on to note that he had several lawyers look over the contract, all of whom balked at the language it contained. Hiring any of them to work the contract to the point that it was something he would sign would cost several thousand dollars, reducing the bounty reward to the point that it wasn’t really worth collecting. On top of all that, the language in the contract offered nothing in the way of protection from the CFAA, which is frankly insane for a bug bounty program. The whole point is to research vulnerabilities. Jail time is not supposed to be a risk in that sort of work.
When Finisterre decided to refuse the bounty and go public instead, DJI suddenly began calling him a “hacker” and acted as though it barely had any idea who he was, despite having interacted with him over hundreds of emails.
DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users. As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.
DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.
DJI has also shuttered the bug bounty program, with emails to it resulting in bouncebacks informing the reader that while they can still submit bug reports, the bounties are no longer available.
And so here we are. DJI offered a bug bounty program that one researcher responded to with a report about some serious vulnerabilities, including the disclosure of DJI customer information. Instead of being grateful for that information and correcting it, DJI instead decided to go the strongarm route, resulting in the public now knowing just how bad at security DJI is. Way to go?