Drone maker DJI has been criticized roundly this weekend over its alleged response to security researcher Kevin Finisterre’s discovery of a significant security issue involving the company’s system. According to Finisterre, he began hunting for bugs in DJI’s system under its recently established bug bounty program. In the process, Finisterre says he discovered a major security issue, but rather than rewarding him for his effort, DJI accused him of hacking and threatened to report him to the authorities.
DJI announced its bug bounty program in August following a report that claimed the U.S. Army had banned use of the maker’s drones over security concerns. As part of its announcement, DJI had stated:
“The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create.”
According to a long report on the matter published by Finisterre, he spent many weeks communicating with DJI through email about the scope of its bug bounty program, which hadn’t yet been publicly defined. After receiving confirmation that it included the company’s servers, Finisterre went to work in writing up a report disclosing his discoveries. Speaking of which…
Due to multiple security issues, including publicly available AWS private keys for DJI’s photo-sharing service SkyPixel, Finisterre reports that he was able to get access to highly sensitive user data, including: identification cards and passports, flight logs, and drivers licenses. Once he found this flaw, he claims that he alerted DJI to this vulnerability, and that the company acknowledged it.
After more than 130 emails back and forth between DJI and Finisterre, he states in his report that DJI said he would be rewarded with $30,000 under the bug bounty program (the maximum award). However, Finisterre reports that weeks later he received an agreement for his particular bug bounty that was “literally not sign-able.” As he goes on to explain in his report:
“I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection. For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone.”
Efforts to alter the agreement didn’t pan out as hoped, says Finisterre, who goes on to claim that several different lawyers advised him that DJI’s final offer was, “likely crafted in bad faith,” and that it was “extremely risky” for him to sign it. It was about this time that Finisterre also receive a legal demand from DJI ordering him to delete/destroy the data he had gathered during his investigation, while appearing to threaten Finisterre with the Computer Fraud and Abuse Act.
In a statement to Ars Technica, who was the first to cover this spat between DJI and Finisterre, the Chinese drone giant referred to Finisterre as a “hacker,” claiming that he had accessed one of the company’s servers without permission and that he had tried to claim it under the company’s bug bounty program without following “standard terms for bug bounty programs.” The statement goes on to claim that Finisterre “refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”
For his part, Finisterre says that he ultimately turned down the $30,000 in favor of going public with what he sees as an unsettling and unacceptable experience, concluding with the following statement:
“If you that are wondering if DJI even bothered to respond after I got offended over the CFAA threat, you should be happy to know it was flat out radio silence from there on out. All Twitter DM’s stopped, SMS messages went unanswered, etc. Cold blooded silence.”