Researcher Found A Serious Vulnerability In DJI’s Web Security, Then Was Told To Keep Quiet Or Else
A popular approach to cybersecurity nowadays is the so-called bug bounty program, or major companies enlisting the help of third-party or independent hackers to try and look for vulnerabilities within their products or systems.
Google, Microsoft, Facebook, and Mozilla do it occasionally. Drone manufacturer DJI launched its own this past August, supposed to reward researchers who came to the company with security flaws they had found.
DJI Bug Bounty Program Fumbles
Unfortunately, DJI's own bug bounty program is already causing a bit of controversy. Security researcher Kevin Finisterre, who previously discovered that the DJI Go app contained a backdoor that allowed it to be altered remotely, has exposed DJI on Monday, Nov. 20, after it seemingly threatened him with legal action.
In his essay, Finisterre laid out his negative experience with DJI and its bug bounty program. He, along with a group of hackers, discovered a fatal flaw in DJI's web security. They were able to obtain the private key for its SSL certificate, which gave them access to private and highly critical consumer information stored on the drone company's servers.
He promptly emailed DJI and asked whether the vulnerability was within the scope of its program, and they told him it was. DJI confirmed his work and offered him $30,000 for the trouble, the highest reward tier. All was good. Finisterre even ordered a Tesla vehicle, as he recounts in his essay.
But things suddenly went awry. DJI sent Finisterre a contract that required him not to refrain from publicly discussing the vulnerability he found, and that he must not tell anyone that he worked with DJI security at all. If a filmmaker's legacy are the films he or she makes, a security researcher's legacy hinges on the vulnerabilities they discover, and that's often worth more in the hacking community than monetary gains. So it was clear to Finisterre that what DJI wanted wasn't reasonable.
As they spat back and forth, DJI eventually sent a letter that mentioned the Computer Fraud and Abuse Act, which Finisterre thought was its way of threatening him. As a result, he rejected the prize, canceled his Tesla purchase, and went public.
There surely are bug bounty programs that require hackers to stay silent about what they discover. Companies such as Apple advise researchers to not say a word about their work. But that kind of restriction is usually laid out clearly from the get-go. What's more, the person responsible for the discovery does get acknowledged to some degree, despite the specifics of the work not being disclosed.
Upon Finisterre going public with his experience, DJI went ahead and launched a website dedicated to its bounty program and laid out the terms clearly. Though it remains to be seen whether hackers will still trust DJI after its shady silencing practice.