A software vulnerability disclosure program recently launched by popular drone maker DJI has turned into a messy public relations battle pitting several security researchers against the growing Chinese technology firm.
After DJI recently launched a bug bounty program, two researchers — Sean Melia and Kevin Finisterre — publicly disclosed vulnerabilities in DJI products. The revelations resulted in the company challenging each researcher’s findings and seemingly threatening one with a lawsuit tied to the Computer Fraud and Abuse Act.
DJI was driven to launch a bug bounty program for a number of reasons; one of the primary being the existence of a vibrant so-called “jailbreaking” scene that was already continuously testing the company’s products for software flaws without the company’s direct consent.
For researchers who have been poking and prodding DJI’s digital properties and products for about three months during the course of this program , Melia and Finisterre stories strike a familiar tone. Several researchers who approached DJI with information about evident vulnerabilities say the outcome has been less than satisfactory. DJI disputes aspects of some of these accounts, but experts say the firm has gone too far.
“Many companies mistake a bug bounty program for a penetration test, in which the pen tester is under NDA and expected to kowtow to the ‘client’ in exchange for their pay,” explained Katie Moussouris, chief executive of Luta Security, a bug bounty consultancy and planning firm. “This simply isn’t the case for bug bounties. If it were, then they wouldn’t be open to the public at all.”
With the incident, DJI’s reputation as a major player in the drone industry has been set against the integrity of security researchers who are well known in the bug hunting community. The conflict also could undercut the concept of bug bounty programs at a time when they are generating waves of positive press coverage for corporations and government agencies, including the Department of Defense.
Struggling from the start
Multiple researchers told CyberScoop that DJI’s bug bounty program, which launched this summer, was poorly conceived from the start. While the program has become more formal and structured in recent weeks, the process for contacting the company and claiming rewards remains opaque, while potential participants say the company’s public statements have scared them off.
Some researchers shared their experiences on condition of anonymity to discuss conversations they had with DJI during the program. The company originally had provided no guidance or rules for how to find or submit vulnerabilities, they said. A vague, one-page press release that first announced the launch of the DJI program in late August encouraged participation without defining any clear-cut boundaries or rules.
This approach is highly atypical, experts say. Usually bug bounty programs have clear, public rules so researchers don’t inadvertently break, breach or somehow disrupt normal business operations.
DJI “assumed this would be simple — they didn’t plan ahead, and they didn’t enlist the help of experts,” said Casey Ellis, founder of bug bounty company BugCrowd. “The single most important aspect to running a crowdsourced program is the alignment of expectation on both sides, and a lot of that comes down to how the bounty brief is written. The challenge here is that it needs to be legally complete, whilst remaining easy to understand.”
DJI contends that its approach is unique rather than irregular.
“There a variety of ways that different companies operate their [bug bounty] programs,” said DJI spokesperson Adam Lisberg. “There’s no standard model. Some companies are fine with certain parameters and others have concerns about them.”
Lisberg told CyberScoop the company had agreed to a set terms and conditions to 12 researchers who have successfully submitted bugs. The company declined to name these participants or provide a figure on how much the company has paid out in bounties.
On Nov. 16, more than 60 days after the launch announcement, DJI finally published program guidelines in addition to a reward structure for the value of certain discoveries. It’s unclear if the private agreements signed in August differ from the public guidelines.
Ellis said that DJI’s decision to launch the bounty program without comprehensive rules in place to could be seen as the root cause for their current PR issues.
“They launched publicly right from the start, which didn’t allow their organization time to iterate policy, adapt to receiving security input from the outside world, and develop norms around how to communicate with hackers,” Ellis said.
Where the bounty went bad
The debate about how DJI is overseeing its bug bounty program has played out in news articles, corporate-backed blog posts and social media comments. In one article from a drone hobbyist website heavily connected to DJI, the author questioned Finisterre’s motives and intentions.
The two most publicly visible disagreements between DJI and its independent research community involve Finisterre and Melia.
Melia did not respond to requests for comment by CyberScoop. In an interview with The Register, he criticized DJI for undervaluing a vulnerability he submitted as part of the bug bounty program. DJI told The Register that Melia had broken a nondisclosure agreement (NDA) by speaking to a reporter and that he had not been transparent about the flaws he discovered. Melia refutes these claims.
Executives with BugCrowd and another prominent bug bounty company, HackerOne, described both Finisterre and Melia as respected researchers.
“Sean is respected and in good standing on our platform,” said HackerOne CTO Alex Rice. “On HackerOne, he has submitted 813 confirmed valid vulnerabilities to 69 individual companies, including GM, Starbucks, DoD, GitHub, Spotify, and more … I’m not aware of any complaints against him from those 69 companies.”
Finisterre is a similarly recognizable figure in the bug hunting community. He is also well known to DJI and was in contact with the Chinese company even prior to recent events.
“In the process of helping DJI work through understanding their current security landscape with regard to consumer concerns on data privacy, I actually suggested that if they wanted to be taken seriously versus some of their PR statements that perhaps they should engage the community in a broader fashion,” said Finisterre. “I suggested that a bounty was one way to do so.”
Finisterre is an employee of Department 13, a company that makes counter-drone technology, including tracking and jamming hardware and software. Based on public statements, DJI is no fan of Department 13. Finisterre said his recent research into DJI was completed independently, beyond the direction of his employer.
On Sept. 27, Finisterre told CyberScoop that he provided DJI with information about, among other things, a SSL key leak that affected a server containing sensitive customer data, including contact information and user flight records belonging to military personnel. The two parties agreed to a $30,000 fee for the discovery of this flaw and a report about it. But the agreement fell apart.
Although lawyers for DJI were willing to modify some of the terms, including elements of a nondisclosure agreement, Finisterre found issue with a final version of the conditions. The document was not what he expected. The conditions were far-reaching and excessive, Finisterre said.
“We want to retain the ability to not disclose even though we recognize that many researchers will want to disclose and we want to make that possible,” DJI’s Lisberg said of the NDA conditions within the terms and conditions of the program. “The fact that we were willing to offer Kevin a variation from those terms reflects our recognition of his contributions and our willingness to bend over backwards to try to reach a deal with him.”
DJI required that Finisterre sign these terms before receiving the $30,000 payment. When it became apparent Finisterre might walk, the company’s tone and apparent strategy changed, based on emails provided to CyberScoop by Finisterre about his correspondence with DJI.
“Once they knew I was going to walk they accidentally cc’d one of us in an email saying ‘this is a threat by Kevin. HQ needs to respond accordingly,'” Finnisterre told CyberScoop.
DJI suggested Finisterre is the only one who has expressed pleasure over the bounty.
“The only one who’s made noise about not wanting to agree to these terms is Kevin,” Lisberg responded. “I can think of one more case that might be like Kevin where someone raised some objections and we were willing to go back and forth on them because of the severity of what they reported.”
Here come the lawsuits
The ensuing argument between Finisterre and DJI at one point crossed into threats of a Computer Fraud and Abuse Act lawsuit launched by the Chinese company against Finisterre.
DJI claimed in a formal although unsigned letter that Finisterre had hacked into a system that was off limits from the bug bounty program. A company representative, however, had approved such activity in one email sent to Finisterre several weeks prior. In addition, the SSL key leak was discovered before the establishment of public or agreed upon guidelines.
“This could have been a wonderful opportunity for them to be educated in best practices for security, in which they are currently falling behind,” Finisterre told CyberScoop. “Rather than embrace the researchers, and bounty hunters they have in turn alienated them. Likewise they have shown that their claims of how they value security and data privacy to be questionable at best.”
Finisterre never agreed to terms with DJI. And he subsequently shared most of this account in a blog post on Nov. 16 which included screenshots of private conversations with DJI employees. Finisterre’s public comments of the events were followed shortly thereafter by DJI’s first public guidelines.
In broad strokes, experts say this episode provides some basic lessons for what to avoid when planning a bug bounty program.
“Clarity in scope up front, combined with a good faith effort to work with the researchers regardless of their public disclosure stance, and a general magnanimous mindset would have been best, if DJI were to get it right,” Luta Security’s Moussouris explained.
Moussouris also took issue with the DJI’s communications strategy after disagreements between researchers and the company came to light. Bugcrowd’s Ellis agreed.
“There was a tone of contempt in the communications from DJI right from the outset, and that escalated into legal threats as the conversation progresses,” Ellis said. “If your organization is still frightened of hackers, don’t invite the internet to come and hack you just yet.”
Zaid Shoorbajee contributed to this report.