Over the past few years, the idea of a "bug bounty program" has grown quickly. Microsoft, Apple and Google all offer money for finding issues in their software, but smaller companies have taken to introducing similar programs. Unfortunately, most companies have not managed them in a detailed or responsible manner. Case in point, DJI, manufacturer of the Phantom quadcopter drone line. The company released their program in August, but never really explained what might be included. Some companies look for firmware issues, while others encourage server research.
Kevin Finisterre decided he would reach out to the company, looking for details on the program. After some back-and-forth, it was made clear that server issues were included in the program. So, Finisterre set out to find issues in what is becoming an increasingly dangerous place for security breach data: GitHub. As expected, Finisterre was able to find SSL certificate information, as well as public and private keys for Amazon Web Services.
After communicating his findings, which were detailed and extensive, with the company, he was offered a job consulting on security. That was, until the legal department got involved, and the entire tone of the conversation changed. Instead of a job, the company offered legal action against him for hacking. They even sent over a contract that was insulting at best. It required him to be silent on the topic, and promised no protection from legal action for finding the data in his report. He said of the interaction,
In the days following no less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it. I went through various iterations to get the letter corrected. It was ultimately going to cost me several thousand dollars for a lawyer that I was conﬁdent could cover all angles to put my concerns to bed and make the agreement sign-able.
After refusing to sign the contract and turning down a $30k bounty, Finisterre instead published his findings and his interactions with the company. The company, on the other hand, began a smear campaign against Finisterre, publishing a statement calling him a "hacker" and diminishing his findings.
DJI is investigating the reported unauthorized access of one of DJI's servers containing personal information submitted by our users. As part of its commitment to customers' data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a "bug bounty" from the DJI Security Response Center.
DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI's continued attempts to negotiate with him, and threatened DJI if his terms were not met.
This interaction underscores several issues plaguing the software industry. First is the open sourcing of software by irresponsible developers. When developers don't know the proper process for making code public, things go wrong, such as releasing database connection strings, cloud keys and more. This can make very private information, such as drivers licenses and passports in this case, available to the public.
The second issue is poorly implemented bounty programs. If a company does not have a detailed user guide for their program, it is easy for it to turn sour, especially when a bug or security issue embarrasses the company. A reward can turn into a lawsuit or, worse yet, criminal charges. This can ruin a developer or security expert's career in perpetuity.