Back in August, DJI launched a bug bounty program meant to reward researchers who came to the company with security vulnerabilities they had discovered. This approach to cybersecurity is now widespread, with big companies like Google, Microsoft, and Yahoo running their own programs, and smaller companies relying on platforms like Bugcrowd and HackerOne.
Unfortunately for DJI, its effort to work with white hat hackers is already causing controversy. Kevin Finisterre, a security researcher whose earlier work on DJI security made headlines, published a long essay yesterday detailing his negative experiences with DJI’s bug bounty program. By this morning, it was on the top of Hacker News, a widely read forum in the US tech community.
Finisterre, along with a collective of hackers he works with, found a very serious flaw in DJI’s web security. They were able to obtain the private key for its SSL certificate, which DJI had accidentally published on GitHub, allowing them access to sensitive customer information stored on DJI’s servers. He asked DJI if this problem was within the scope of its bug bounty, and the company confirmed it was. So Finisterre wrote up and submitted a detailed report. DJI approved of the work and offered him a $30,000 bounty, their highest reward.
But things broke down in the contract DJI sent Finisterre before he could collect. It asked, in essence, that he not discuss details of the work he had done publicly, or that he had done security work for DJI at all. For a researcher like Finisterre, the public recognition of the work is often as valuable as the monetary reward. As they haggled over the contract, DJI’s legal team sent a letter referencing the Computer Fraud and Abuse Act, which Finisterre interpreted as a thinly veiled threat. He decided to walk away from the money and go public with his experience.
“Despite all of the progress we’ve made over the last 4 years, it’s still relatively novel for organizations to partner with the research community through a bug bounty. It’s not uncommon for organizations who launch without preparation to become overwhelmed by the sheer number of high impact issues — which appears to be a significant part of the problem here,” says Jonathan Cran, the VP of product at Bugcrowd, a bug bounty platform.
“We would recommend DJI fix the issues as soon as possible and not pursue legal action. Based on the information we have today, this appears to be a misunderstanding and not malicious in its intent,” Cran says. “Bug bounties deliver extremely high quality results at unparalleled cost — but as we emphasize to our customers, you need a partner.”
There are examples of bug bounty programs that require researchers to strict non-disclosure agreements. Companies like Apple and United Airlines all ask researchers to stay fairly tight-lipped. But that restriction is made clear before the research invests time in finding, reporting out, and submitting a bug. And some public credit is usually given.
After Finisterre published his account, DJI launched an official website for its bug bounty program and made its terms and conditions clear for anyone who wants to participate. Time will tell if it can mend relations with the researcher community and build a bounty program that works for both sides.