Drone maker DJI in cyber-security row over bug bounty

Drone maker DJI has accused a cyber-security researcher of hacking its servers.

Kevin Finisterre claims that he accessed confidential customer data after finding a private key publicly posted on code-sharing site Github.

He approached the firm, which offers a “bug bounty” reward of up to $30,000 (£23,000) for security weaknesses discovered in its systems.

DJI said the server access was “unauthorised”.

The data Mr Finisterre was able to see included “unencrypted flight logs, passports, drivers licences and identification cards”, he said.

Despite initially offering him the money, in a statement DJI has now accused Mr Finisterre of refusing to agree to the terms of its bug bounty programme “which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed”.

It added: “DJI takes data security extremely seriously, and will continue to improve its products thanks to researchers who responsibly discover and disclose issues that may affect the security of DJI user data and DJI’s products.”

It added that it would continue to pay bug bounties in exchange for reports.

• How to make money hunting cyber-bugs
• Drone maker boosts privacy after army ban

Mr Finisterre, an independent security researcher, said DJI tried to make him sign a non-disclosure agreement.

He also published an email from DJI telling him that security issues with servers were included in the bug bounty programme.

‘Freedom of speech’

He said it was almost a month after he sent his report before the full terms were shared with him, and that he believed they “posed a direct conflict of interest to many things including my freedom of speech”.

One of the clauses stated that he could not publicly disclose his research without written consent from DJI, according to emails from the firm he has published in his report.

Typically, security researchers will share their findings with a company, give the firm a time frame in which to fix identified bugs, and then publish their work.

The bug bounty scheme is offered by many large tech firms as an incentive for people to share security weaknesses rather than exploit them.

Cyber-security expert Prof Alan Woodward from Surrey University said DJI’s actions were “outrageous”.

“Cyber-security is one of those areas where there is no government organisation or central body or standards agency holding these people to account. It’s ethical hackers and security researchers,” he said.

“The public has a right to know when there’s a security problem.”