var advanced_ads_pro_visitor_conditions = {"referrer_cookie_name":"advanced_ads_pro_visitor_referrer","referrer_exdays":"365","page_impr_cookie_name":"advanced_ads_page_impressions","page_impr_exdays":"3650"};
var essb_settings = {"ajax_url":"https:\/\/www.lightstalking.com\/wp-admin\/admin-ajax.php","essb3_nonce":"b59c54b5e1","essb3_plugin_url":"https:\/\/www.lightstalking.com\/wp-content\/plugins\/easy-social-share-buttons3","essb3_stats":true,"essb3_ga":false,"essb3_ga_ntg":false,"blog_url":"https:\/\/www.lightstalking.com\/","post_id":"314642"};
Security breaches can be a complete nightmare for a tech company, which is why many of them incentivize users who discover lapses in the corporation's data protection scheme to notify the company through a bounty program.
One firm that employs such a method is DJI, the massive Chinese commercial drone manufacturer that dominates the entry-level drone market across the world.
A security researcher named Kevin Finisterre informed DJI of a flaw in their system that exposed private, confidential customer information.
He contacted the company through its bounty program but, rather than collecting on a $USD 30,000 bounty, he was met with pushbacks and what he calls “threats” according to Peta Pixel.
This reaction has prompted him to tell his story to the world at large and it does give one pause before reporting any errors to massive companies when it comes to their technology.
Image via Pixabay from Pexels.com.
Ars Technica reports that the flow is when DJI developers left private keys for the company’s web domains and cloud storage accounts within source code DJI had hosted on GitHub.
With this information, Kevin Finisterre found out he could see private things uploaded by DJI customers such as flight logs and aerial photos. Most terrifying of all, Finisterre was able to find government ids, driver’s licenses, and passports as well. Some of the information seemed to be related to military use of drones and military personnel accounts.
Initially DJI’s response was positive, and they informed him that he qualified for the maximum bounty of $USD 30,000.
“This was the first in a long line of education on basic security concepts, and bug bounty practices…Over 130 emails were exchanged back and forth at one point in one thread. At one point days later DJI even offered to hire me directly to consult with them on their security,” Finisterre said.
He attempted to negotiate a contract for the bounty hunting with DJI but was told by legal counsel that the terms of the agreement were “horrible.”
In a piece for Digital Munition that acts as a comprehensive explanation of the entire situation, Finisterre writes: “[N]o less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it…I went through various iterations to get the letter corrected. It was ultimately going to cost me several thousand dollars for a lawyer that I was confident could cover all angles to put my concerns to bed and make the agreement sign-able.”
Apparently things have only gotten worse between the two, with DJI telling Ars Technica that he was a hacker.
In a lengthy response, DJI outlines what it believes is evidence of Finisterre’s reluctance to cooperate with them or adhere to the bounty program’s guidelines.
About Author
Kehl is our staff photography news writer since 2017 and has over a decade of experience in online media and publishing and you can get to know him better here and follow him on Insta.
var advanced_ads_cookies = {"cookie_path":"\/","cookie_domain":""};
var advadsCfpInfo = {"cfpExpHours":"3","cfpClickLimit":"3","cfpBan":"7","cfpPath":"","cfpDomain":"www.lightstalking.com"};
var beloadmore = {"url":"https:\/\/www.lightstalking.com\/wp-admin\/admin-ajax.php","query":{"post__not_in":[314642],"category_name":"news","posts_per_page":3}};
var tve_dash_front = {"ajaxurl":"https:\/\/www.lightstalking.com\/wp-admin\/admin-ajax.php","force_ajax_send":"1","is_crawler":"","recaptcha":[],"post_id":"314642"};
var TVE_Ult_Data = {"ajaxurl":"https:\/\/www.lightstalking.com\/wp-admin\/admin-ajax.php","ajax_load_action":"tve_ult_ajax_load","conversion_events_action":"tve_ult_conversion_event","shortcode_campaign_ids":[],"matched_display_settings":[],"campaign_ids":[],"post_id":314642,"is_singular":true,"tu_em":"","evergreen_redirects":[]};
(function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async=true;; po.src = 'https://www.lightstalking.com/wp-content/plugins/easy-social-share-buttons3/lib/modules/conversions-pro/assets/share-conversions-tracker.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();(function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async=true;; po.src = 'https://www.lightstalking.com/wp-content/plugins/easy-social-share-buttons3/assets/modules/pinterest-pro.min.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();(function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async=true;; po.src = 'https://www.lightstalking.com/wp-content/plugins/easy-social-share-buttons3/assets/modules/subscribe-forms.min.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();(function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async=true;; po.src = 'https://www.lightstalking.com/wp-content/plugins/easy-social-share-buttons3/assets/js/essb-core.min.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();
var essb_handle_stats = function(oService, oPostID, oInstance) { var element = jQuery('.essb_'+oInstance); var instance_postion = jQuery(element).attr("data-essb-position") || ""; var instance_template = jQuery(element).attr("data-essb-template") || ""; var instance_button = jQuery(element).attr("data-essb-button-style") || ""; var instance_counters = jQuery(element).hasClass("essb_counters") ? true : false; var instance_nostats = jQuery(element).hasClass("essb_nostats") ? true : false; if (instance_nostats) { return; } var instance_mobile = false; if( (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i).test(navigator.userAgent) ) { instance_mobile = true; } if (typeof(essb_settings) != "undefined") { jQuery.post(essb_settings.ajax_url, { 'action': 'essb_stat_log', 'post_id': oPostID, 'service': oService, 'template': instance_template, 'mobile': instance_mobile, 'position': instance_postion, 'button': instance_button, 'counter': instance_counters, 'nonce': essb_settings.essb3_nonce }, function (data) { if (data) { }},'json'); } }; var essb_log_stats_only = function(service, postId, position) { var instance_mobile = false; if( (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i).test(navigator.userAgent) ) { instance_mobile = true; } if (typeof(essb_settings) != "undefined") { jQuery.post(essb_settings.ajax_url, { 'action': 'essb_stat_log', 'post_id': postId, 'service': service, 'template': position, 'mobile': instance_mobile, 'position': position, 'button': position, 'counter': false, 'nonce': essb_settings.essb3_nonce }, function (data) { if (data) { }},'json'); } };
let ccwpDOMLoaded=!1;
let ccwp_loaded = false;
let resources_length=0;
let resources =undefined;
let is_last_resource = 0;
ccwpUserInteractions=["keydown","mousemove","wheel","touchmove","touchstart","touchend","touchcancel","touchforcechange"];
ccwpUserInteractions.forEach(function(e){
window.addEventListener(e,calculate_load_times);
});
function calculate_load_times() {
// Check performance support
if (performance === undefined) {
console.log("Performance NOT supported");
return;
}
// Get a list of "resource" performance entries
resources = performance.getEntriesByType("resource");
if (resources === undefined || resources.length <= 0) {
console.log("NO Resource performance records");
}
if(resources.length){
resources_length=resources.length;
}
for(let i=0; i < resources.length; i++) {
if(resources[i].responseEnd>0){
is_last_resource = is_last_resource + 1;
}
}
let uag = navigator.userAgent;
let gpat = /Google Page Speed Insights/gm;
let gres = uag.match(gpat);
let cpat = /Chrome-Lighthouse/gm;
let cres = uag.match(cpat);
let wait_till=300;
let new_ua = "Mozilla/5.0 (Linux; Android 11; moto g power (2022)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36";
let new_ua2 = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36";
if(gres || cres || uag==new_ua || uag==new_ua2){
wait_till = 3000;
}
if(is_last_resource==resources.length){
setTimeout(function(){
console.log("ccwpTriggerDelayedScripts timeout : "+wait_till);
ccwpTriggerDelayedScripts();
},wait_till);
}
}
window.addEventListener("load", function(e) {
console.log("load complete");
setTimeout(function(){
calculate_load_times();
},100);
});async function ccwpTriggerDelayedScripts() {
if(ccwp_loaded){ return ;}
ccwpPreloadStyles();
ccwpPreloadDelayedScripts();
ccwpLoadCss();
ccwpScriptLoading();
ccwp_loaded=true;
}
function ccwpPreloadStyles() {
let e = document.createDocumentFragment();
var cssEle = document.querySelectorAll("link[rel=ccwpdelayedstyle]");
for(let i=0; i <= cssEle.length;i++){
if(cssEle[i]){
cssEle[i].href = removeVersionFromLink(cssEle[i].href);
let r = document.createElement("link");
r.href = cssEle[i].href;
r.rel = "preload";
r.as = "style";
e.appendChild(r);
}
}
document.head.appendChild(e);
}
function ccwpPreloadDelayedScripts() {
var e = document.createDocumentFragment();
document.querySelectorAll("script[type=ccwpdelayedscript]").forEach(function(t) {
var n = removeVersionFromLink(t.getAttribute("src"));
if (n) {
t.setAttribute("src", n);
var r = document.createElement("link");
r.href = n, r.rel = "preload", r.as = "script", e.appendChild(r)
}
}), document.head.appendChild(e)
}
function ccwpScriptLoading(){
var jsEle = document.querySelectorAll("script[type=ccwpdelayedscript]");
jsEle.forEach(function(t) {
t.type = "text/javascript";
if(t.src)
{
t.src = removeVersionFromLink(t.src);
}
});
}function ccwpLoadCss(){
var cssEle = document.querySelectorAll("link[rel=ccwpdelayedstyle]");
for(let i=0; i <= cssEle.length;i++){
if(cssEle[i]){
cssEle[i].href = removeVersionFromLink(cssEle[i].href);
cssEle[i].rel = "stylesheet";
cssEle[i].type = "text/css";
}
}var cssEle = document.querySelectorAll("style[type=ccwpdelayedstyle]");
for(let i=0; i <= cssEle.length;i++){
if(cssEle[i]){
cssEle[i].type = "text/css";
}
}
}
function removeVersionFromLink(link)
{
if(ccwpIsValidUrl(link))
{
const url = new URL(ccwpFormatLink(link));
url.searchParams.delete("ver");
url.searchParams.delete("time");
return url.href;
}
else{
return link;
}
}
function ccwpIsValidUrl(urlString)
{
if(urlString){
var expression =/[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?/gi;
var regex = new RegExp(expression);
return urlString.match(regex);
}
return false;
}
function ccwpFormatLink(link)
{
let http_check=link.match("http:");
let https_check=link.match("https:");
if(!http_check && !https_check)
{
return location.protocol+link;
}
return link;
}