Drone-maker DJI and a cyber security researcher are in the middle of a much-publicised spat after the company refused to pay up after announcing a ‘bug bounty’ programme.
DJI said it will not pay any money to the security researcher as he did not agree with the terms and conditions of the bug bounty programme.
Ideally, a bug bounty programme is meant not only to uncover security vulnerabilities in a company’s servers and other systems, but also to motivate cyber security researchers to walk the extra mile to uncover flaws that many would miss at first glance.
Bounty programmes have worked for many large firms in the past who were able to uncover a number of security flaws in their servers with the help of freelance security researchers. Considering the mutually-beneficial relation between firms and researchers, DJI’s refusal to pay a security researcher for his hard work may send out the wrong signals to the ethical hackers community.
Let’s take a look at why the researcher believes he should get paid as per the bounty programme and why DJI thinks he is not entitled to it.
In August, DJI (Chinese drone manufacturer Dà-Jiāng Innovations Science and Technology Co., Ltd) announced a $3,000 Bug Bounty Programme, challenging security researchers to identify and report security vulnerabilities in its AWS servers. After learning about the programme, security researcher Kevin Finisterre succeeded in accessing “unencrypted flight logs, passports, drivers licences and identification cards” of DJI customers after he discovered a publicly-posted private key on Github.
Following the discovery, Finisterre approached DJI with his findings and was subsequently promised that he would be awarded ‘in cash’. However, a month after he shared his findings with DJI, he was asked to sign on a T&C document which stipulated that he couldn’t share his findings with the rest of the world without DJI’s authorisation.
Finisterre said that the terms not only prevented him from sharing his findings with the rest of the world, but were also designed to sound like ‘a thinly veiled Computer Fraud and Abuse Act threat from DJI’.
‘The agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection. For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone,’ he wrote on his website.
Ideally, researchers are able to share their findings with the rest of the world once the vulnerabilities that they identified are either fixed or have remained unfixed after a certain period of time. Strong coding skills and forensic investigation skills are things that determine a researcher’s effectiveness and knowledge. Basically, they are his/her bread and butter and determine his/her future prospects.
According to DJI, the terms and conditions of the bug bounty programme were designed ‘to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed’.
‘DJI takes data security extremely seriously, and will continue to improve its products thanks to researchers who responsibly discover and disclose issues that may affect the security of DJI user data and DJI’s products,’ the firm added.
Even though DJI may have gotten away with this time without having to pay the researcher, it will be interesting to see how many takers the firm will find for its future bug bounty programmes.