Security breaches can be a complete nightmare for a tech company, which is why many of them incentivize users who discover lapses in the corporation's data protection scheme to notify the company through a bounty program.
One firm that employs such a method is DJI, the massive Chinese commercial drone manufacturer that dominates the entry-level drone market across the world.
A security researcher named Kevin Finisterre informed DJI of a flaw in their system that exposed private, confidential customer information.
He contacted the company through its bounty program but, rather than collecting on a $USD 30,000 bounty, he was met with pushbacks and what he calls “threats” according to Peta Pixel.
This reaction has prompted him to tell his story to the world at large and it does give one pause before reporting any errors to massive companies when it comes to their technology.
Ars Technica reports that the flow is when DJI developers left private keys for the company’s web domains and cloud storage accounts within source code DJI had hosted on GitHub.
With this information, Kevin Finisterre found out he could see private things uploaded by DJI customers such as flight logs and aerial photos. Most terrifying of all, Finisterre was able to find government ids, driver’s licenses, and passports as well. Some of the information seemed to be related to military use of drones and military personnel accounts.
Initially DJI’s response was positive, and they informed him that he qualified for the maximum bounty of $USD 30,000.
“This was the first in a long line of education on basic security concepts, and bug bounty practices…Over 130 emails were exchanged back and forth at one point in one thread. At one point days later DJI even offered to hire me directly to consult with them on their security,” Finisterre said.
He attempted to negotiate a contract for the bounty hunting with DJI but was told by legal counsel that the terms of the agreement were “horrible.”
In a piece for Digital Munition that acts as a comprehensive explanation of the entire situation, Finisterre writes: “[N]o less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it…I went through various iterations to get the letter corrected. It was ultimately going to cost me several thousand dollars for a lawyer that I was confident could cover all angles to put my concerns to bed and make the agreement sign-able.”
Apparently things have only gotten worse between the two, with DJI telling Ars Technica that he was a hacker.
In a lengthy response, DJI outlines what it believes is evidence of Finisterre’s reluctance to cooperate with them or adhere to the bounty program’s guidelines.