Researcher claims DJI threatened him with legal action after he made ‘bug bounty’ report
Chinese drone maker DJI (Dà-Jiāng Innovations Science and Technology Co. Ltd.) has allegedly threatened to take legal action against a researcher who reported security vulnerabilities to the company as part of its bug bounty program.
The claim comes from researcher Kevin Finisterre, who detailed in an essay that he discovered DJI had exposed the private keys for the company’s web domains and cloud storage accounts in code posted to GitHub. Using the keys, Finisterre said, he was able to access confidential information such as drivers license and passport details along with flight log data that included details from accounts linked to government and military domains.
Finisterre said he reported the issues in detail in September to DJI under the company’s bug bounty program, launched in August after the company was banned by the U.S. military over security concerns. The researcher hoped to claim a payment of $30,000, but that’s when things took a turn for the worse.
Instead of thanking Finisterre for his contribution or making a payment under the program, after some back-and-forth DJI said it would make the payment only if he agreed to sign a strict confidentiality agreement that would prevent him from discussing what he had found. Moreover, if he didn’t, DJI would also consider taking legal action, accusing him of breaching the Computer Fraud and Abuse Act as he unlawfully accessed their servers.
Just for good measure, Finisterre noted that the agreement also didn’t offer him any protection against legal action in the future, so he was put in a position where he was damned if he signed the agreement and damned if he didn’t.
The drone company responded to the dispute, saying in a statement sent to Ars Technica that it’s investigating “reported unauthorized access of one of DJI’s servers containing personal information submitted by our users.” It went on to claim that a “hacker,” presumably Finisterre, had posted confidential communications with DJI employees about his attempts to make a claim under the bug bounty program. “DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed,” the company said.
Flipping Finisterre’s claims on its head, DJI accused him of wrongdoing, adding that “the hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”
Photo: Taka/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU