"In the days following no less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it."
The whole article sounds like a mishmash of incompetence, being unprepared, and having a legal team not really interested in having a robust or even good bounty program. Basically a bounty program driven by Marketing and/or Legal to be able to say "we take bugs seriously" rather than by Engineering with an interest in actually getting problems resolved.
It's almost as if they decided to do this without remembering to tell their lawyers what a Bug Bounty program is.
Every time I read a story about a company bumbling their way through some obviously poorly conceived PR problem (see also: Logitech's recent announcement that they'll be bricking one of their products), I think to myself, "What on earth was that meeting like?" You know, the meeting where they are supposed to plan what to say, how to say it, what actions to take when, what contingency plans, etc. Those things that grown-up companies do when they interact with their customers or the public. I mean, was it really as incompetent as, "I know, let's offer a bug bounty, and then threaten legal action against people who participate! That will surely help our image!" Was there not one person around that conference room who thought to raise their hand and say, "Now hang on a minute--we might not be thinking this through..."
TL;DR: DJI rolled out a bug bounty program from $100-$30,000 but it was vague and poorly executed. Author found AWS keys and subsequent data, to which DJI responded with onerous legal terms and threats. After many weeks of back and forth, author walked away.
> DJI responded with onerous legal terms and threats.
And they sent him threats after they offered him the highest ($30,000) bounty, waited a month doing nothing, and then finally sent him a terribly restrictive non-disclosure agreement which he'd have to sign to actually get the cash.
Sounds like DJI kicked off a bounty program and didn't have their ducks in a row on setting bounty scope, legal terms, or process.
Researcher found PII leaks and keys to some pretty sensitive stuff, and DJI didn't know how to respond.
After DJI dragging it out for weeks, giving overly broad terms, and sending a poorly crafted CFAA threat (which in charitably interpreted was just to ensure he deleted any sensitive material), researcher walked away after being frustrated by the time sink.
Honestly, it looks like DJI was hoping for a 'soft launch', getting a few tame bugs and negotiating with researchers to hammer out details. (Or framed more cynically, using the researchers as unpaid advisors on how to set up a bounty program.)
Instead, they got a stack of catastrophic, maximum-severity issues right away and panicked.
Being stingy with big bounty money seems so shortsighted - if you are going to have a B.B. program and encourage people to suss out exploits, why would you then want to piss those people off? It’s not like there isn’t a completely separate market out there for the same exploits run by people you’d collectively refer to as “the enemy”.
The problem with such negotiation is that at the moment someone even describes the bug they have found, they eliminate the possibility of selling to anything other than the BB program. If you describe your bug to them, but then the BB negotiations go south and you walk away, you are a suspect in any future exploit of that bug. So the BB program knows that they have the researcher on the hook from the moment he makes contact.
DJI started a bug bounty program, but mismanagement and dick moves ended up costing a guy a deserved 30k bounty.
longer tldr:
The problems found revealed they were in fact in desperate need of the help.
The program was managed poorly. DJI had a chance to correct the situation, but instead acted in bad faith to researchers who had went out of their way to help them, even threatening leagal action for no good reason.
The guy legit earned the 30k bounty, but effectively had no way to get the money due to legal threats and/or requirements to sign draconian restrictive legal documents.
Important subject, interesting story, takes forever to get to the point. Reads like this was partially due to the guy having no sleep and being worn down after a long period of emotional exasperation.
I remember reading recently that the U.S. military had to ground all DJI drones they had in inventory because of suspected hooks in the software and I was thinking it was just malicious backdoors, interesting to see there's a bit more of Hanlon's razor in there too.
It almost seems like you might be better off taking the bugs found to the US military or intelligence agencies to see if you can get bounties from them instead.
Of course, that puts you in a position of interacting with the US government on security research.
Fck, man. I was fired from DJI because of all that story. I was nowhere connected to things you found and privacy disclosure. I just had a small repository with and unreal engine plugin to use open source exif library inside our internal project.
But on the other hand, really thank you, working in DJI is not so good anyway.
> I was nowhere connected to things you found and privacy disclosure. I just had a small repository with and unreal engine plugin to use open source exif library inside our internal project.
From DJI's perspective I think they don't have experience with bug bounties so the legal team drafted something not expecting a fight, especially when they offered 30k. Seeing the back-and-forth on legal terms queued them that maybe the author did have malicious intent to harm the reputation of DJI (whether that's a good argument or not is out of scope.) and because of that the legal team turtled. DJI wanted the author to sign the papers, take the money and shut up. The author wanted to sign the papers, take the money, and advertise the hack.
> maybe the author did have malicious intent to harm the reputation of DJI
In the context of a bug-bounty program, it's not malicious to "harm the reputation" of the entity in question, it's malicious to attempt to profit off the hack itself.
> The author wanted to sign the papers, take the money, and advertise the hack.
Of course! It's part of their portfolio.
It's common for security researchers to share details of a hack once it's been fixed. It's not "malicious" to tell the truth.
Well typically that's the point of an embargo, not a perpetual gag order. Though I can see how "we left an AWS directory open" might be embarrassing to have announced to the public, regardless of whether they had time to fix it.
My guess, and it is absolutely only a guess, is that the legal team drawing up the agreement were not versed in writing up agreements like this. As the author said, at one point they included language so vague that it would make participation by anyone in the program at all forbidden. I do not believe that they actually had that intent.
My guess is that once they got this report and the others they received after opening the bounty program, they shit their pants a little. They did not expect 'oh hey, literally every single segment of your system could be taken over by a malicious party right now and you are probably hemorrhaging data that will lose you clients, destroy your reputation, and maybe even get your company into very severe legal trouble.' They realized, also, that this program was not going to be a matter of an obscure $100 or $1000 bug being reported every 6 months or so. They realized that their entire empire was built on sand. Particularly unstable sand at that, prone to explode at any moment. So for a month they had meetings where they kept out absolutely any person with any technical knowledge whatsoever - those people are just the ones that build everything that enables the company to exist or conduct business, they don't know anything that matters. And in those meetings, they formed a plan:
Step 1: Get out of paying the initial bounties.
Step 2: Fix the initial bugs reported, crediting as they have previously their internal team and 'external researchers', giving no hint of who or which things were found by internal folks as opposed to external researchers, etc.
Step 3: Significantly modify the bug bounty program terms to either radically reduce the amount of money awarded or else change who gets to decide 'severity' so that the maximum bounty is never awarded again.
I imagine they see this as several problems. Losing face and looking exactly as competent as they are is a big one, signified by how they have handled prior bug reports and fixed and also how they responded throughout this process. Losing money, although it is objectively and by all reason a microscopic sum of money to "lose" (I can not imagine for a heartbeat that they see this as the ridiculously lucrative investment it actually is), with little to no ability to predict the eventual overall magnitude of the loss. Are they going to have $30k findings every year? Month? Week? DAY? They likely see their infrastructure as swiss cheese and their technical team as incompetent right now. Since they are 'business people' and do not sully themselves with technical knowledge, their imagination gets to run wild. The idea of one bad person destroying their company in an afternoon is something hypothetical and far away, so it doesn't even enter their mind. They see only the truck that is bearing down upon them right now and bleeding $3 million on this program in the first year alone probably doesn't seem out of the realm of possibility. They also desperately need no one to ever find out about this. Those .gov customers? They get wind of this and they are smoke. They will never be seen again and are probably a large part of the future roadmap of the company. This is an extinction-level event.
I hope my guess is very off-base and totally wrong. If it's not... I'd be surprised if its more than 30 days before we are hearing about the author being brought up on as many charges as their legal team can find.
Clauses that he considered limiting to his freedom of speech seemed quite reasonable to me but then I remembered he's active in the drone jailbreaking scene so they do interfere with that.
Such clauses are basically impossible to enforce in the US. It's called 'Prior Restraint' and courts look extremely poorly on it. You can forbid people from lots of things, but forbidding them from saying certain things? You can do that if you are the government yourself... and basically no one else.
Is there not an official standard / "best practices" document for what each party should follow with bug reporting / bounty procedures? Something that anyone in a company that's starting a bug bounty program can point their legal department to, and say: "here's what amazon and google and X and Y and Z follow, so we should do the same"? From the security researcher perspective, there's the responsible disclosure stuff. But not much from the other side, AFAIK.
Here's another DJI story which demonstrates their incompetence.
At EAA Oshkosh 2017 (the premier event of the year for private pilots and experimental aircraft fans of every stripe), DJI had set up a large tent to show off their newest drones. I walked in and asked to see a demo. Mind you, they had an outdoor flying area adjacent to the tent that was fully enclosed with netting. There was no way a drone could have escaped.
"Can't do a demo," the DJI rep said. "We're waiting on a firmware upgrade from China. None of the drones are working."
"Um, why?" I asked.
"Because the firmware in the drones contains a database of all known aircraft control towers and every drone has GPS. When it sees the drone is within [a few] miles of a control tower, it shuts down the drone. And right now we're only about 100 feet from a control tower."
"But you're inside a netted enclosure?"
"The firmware doesn't know that. The new firmware we're waiting on includes an exception for this location."
I don't know if the upgrade ever arrived, but this episode taught me I don't want a DJI product. DJI probably lost hundreds of thousands of dollars in sales because of that boneheaded move.
It's too bad they couldn't update the firmware in time, but it sounds like they did the responsible thing and built their drones to be safe. Do we really need a drone with an easily flippable "Trust me, I know this is a no-fly zone but I have made precautions to be perfectly safe!" switch?
Almost a case here for someone to start up a BBaaS (Bug Bounty as a Service)?
They could act as the 'go between' for the SaaS or manufacturer, as well as protect the privacy (and possibly identity) of the bounty hunters. The BBaaS could have tried and tested boilerplate terms and conditions for both parties, as well as handle the reward payouts and filing/validating of reports.
It's perfectly readable on a computer screen or printed paper, that's what PDF is designed for. Are you on a mobile device?
Anyway, the short of it is the unsurprising fact that when DJI was pressed to actually deliver the money, instead of offering the bug bounty they promised, they instead used their lawyers and the CFAA to try to attack and silence the author.
In many ways I believe this the value of HackerOne (they effectively administer bug bounties on behalf of other companies).
They understand what constitutes reasonable, necessary and/or expected by both the security communities AND company/legal and can work as a party to both sides with standard agreements, suggestions, etc.
[+] [-] fencepost|8 years ago|reply
The whole article sounds like a mishmash of incompetence, being unprepared, and having a legal team not really interested in having a robust or even good bounty program. Basically a bounty program driven by Marketing and/or Legal to be able to say "we take bugs seriously" rather than by Engineering with an interest in actually getting problems resolved.
[+] [-] ryandrake|8 years ago|reply
Every time I read a story about a company bumbling their way through some obviously poorly conceived PR problem (see also: Logitech's recent announcement that they'll be bricking one of their products), I think to myself, "What on earth was that meeting like?" You know, the meeting where they are supposed to plan what to say, how to say it, what actions to take when, what contingency plans, etc. Those things that grown-up companies do when they interact with their customers or the public. I mean, was it really as incompetent as, "I know, let's offer a bug bounty, and then threaten legal action against people who participate! That will surely help our image!" Was there not one person around that conference room who thought to raise their hand and say, "Now hang on a minute--we might not be thinking this through..."
[+] [-] ukulele|8 years ago|reply
[+] [-] clay_to_n|8 years ago|reply
And they sent him threats after they offered him the highest ($30,000) bounty, waited a month doing nothing, and then finally sent him a terribly restrictive non-disclosure agreement which he'd have to sign to actually get the cash.
[+] [-] mcguire|8 years ago|reply
[+] [-] optimuspaul|8 years ago|reply
[+] [-] spydum|8 years ago|reply
After DJI dragging it out for weeks, giving overly broad terms, and sending a poorly crafted CFAA threat (which in charitably interpreted was just to ensure he deleted any sensitive material), researcher walked away after being frustrated by the time sink.
[+] [-] Bartweiss|8 years ago|reply
Instead, they got a stack of catastrophic, maximum-severity issues right away and panicked.
[+] [-] chakalakasp|8 years ago|reply
[+] [-] sandworm101|8 years ago|reply
[+] [-] jstewartmobile|8 years ago|reply
[+] [-] WhitneyLand|8 years ago|reply
DJI started a bug bounty program, but mismanagement and dick moves ended up costing a guy a deserved 30k bounty.
longer tldr:
The problems found revealed they were in fact in desperate need of the help.
The program was managed poorly. DJI had a chance to correct the situation, but instead acted in bad faith to researchers who had went out of their way to help them, even threatening leagal action for no good reason.
The guy legit earned the 30k bounty, but effectively had no way to get the money due to legal threats and/or requirements to sign draconian restrictive legal documents.
Important subject, interesting story, takes forever to get to the point. Reads like this was partially due to the guy having no sleep and being worn down after a long period of emotional exasperation.
[+] [-] GCU-Empiricist|8 years ago|reply
[+] [-] fencepost|8 years ago|reply
Of course, that puts you in a position of interacting with the US government on security research.
[+] [-] alkrieger|8 years ago|reply
But on the other hand, really thank you, working in DJI is not so good anyway.
[+] [-] dkersten|8 years ago|reply
How were you fired because of that story?
[+] [-] ColanR|8 years ago|reply
[+] [-] hayleox|8 years ago|reply
[+] [-] matthewaveryusa|8 years ago|reply
[+] [-] emmab|8 years ago|reply
In the context of a bug-bounty program, it's not malicious to "harm the reputation" of the entity in question, it's malicious to attempt to profit off the hack itself.
> The author wanted to sign the papers, take the money, and advertise the hack.
Of course! It's part of their portfolio.
It's common for security researchers to share details of a hack once it's been fixed. It's not "malicious" to tell the truth.
[+] [-] unobtaniumstool|8 years ago|reply
[+] [-] otakucode|8 years ago|reply
My guess is that once they got this report and the others they received after opening the bounty program, they shit their pants a little. They did not expect 'oh hey, literally every single segment of your system could be taken over by a malicious party right now and you are probably hemorrhaging data that will lose you clients, destroy your reputation, and maybe even get your company into very severe legal trouble.' They realized, also, that this program was not going to be a matter of an obscure $100 or $1000 bug being reported every 6 months or so. They realized that their entire empire was built on sand. Particularly unstable sand at that, prone to explode at any moment. So for a month they had meetings where they kept out absolutely any person with any technical knowledge whatsoever - those people are just the ones that build everything that enables the company to exist or conduct business, they don't know anything that matters. And in those meetings, they formed a plan:
Step 1: Get out of paying the initial bounties. Step 2: Fix the initial bugs reported, crediting as they have previously their internal team and 'external researchers', giving no hint of who or which things were found by internal folks as opposed to external researchers, etc. Step 3: Significantly modify the bug bounty program terms to either radically reduce the amount of money awarded or else change who gets to decide 'severity' so that the maximum bounty is never awarded again.
I imagine they see this as several problems. Losing face and looking exactly as competent as they are is a big one, signified by how they have handled prior bug reports and fixed and also how they responded throughout this process. Losing money, although it is objectively and by all reason a microscopic sum of money to "lose" (I can not imagine for a heartbeat that they see this as the ridiculously lucrative investment it actually is), with little to no ability to predict the eventual overall magnitude of the loss. Are they going to have $30k findings every year? Month? Week? DAY? They likely see their infrastructure as swiss cheese and their technical team as incompetent right now. Since they are 'business people' and do not sully themselves with technical knowledge, their imagination gets to run wild. The idea of one bad person destroying their company in an afternoon is something hypothetical and far away, so it doesn't even enter their mind. They see only the truck that is bearing down upon them right now and bleeding $3 million on this program in the first year alone probably doesn't seem out of the realm of possibility. They also desperately need no one to ever find out about this. Those .gov customers? They get wind of this and they are smoke. They will never be seen again and are probably a large part of the future roadmap of the company. This is an extinction-level event.
I hope my guess is very off-base and totally wrong. If it's not... I'd be surprised if its more than 30 days before we are hearing about the author being brought up on as many charges as their legal team can find.
[+] [-] curiousgal|8 years ago|reply
[+] [-] otakucode|8 years ago|reply
[+] [-] brodock|8 years ago|reply
[+] [-] makmanalp|8 years ago|reply
[+] [-] dreamcompiler|8 years ago|reply
"Can't do a demo," the DJI rep said. "We're waiting on a firmware upgrade from China. None of the drones are working."
"Um, why?" I asked.
"Because the firmware in the drones contains a database of all known aircraft control towers and every drone has GPS. When it sees the drone is within [a few] miles of a control tower, it shuts down the drone. And right now we're only about 100 feet from a control tower."
"But you're inside a netted enclosure?"
"The firmware doesn't know that. The new firmware we're waiting on includes an exception for this location."
I don't know if the upgrade ever arrived, but this episode taught me I don't want a DJI product. DJI probably lost hundreds of thousands of dollars in sales because of that boneheaded move.
[+] [-] yongjik|8 years ago|reply
[+] [-] simooooo|8 years ago|reply
[+] [-] cyberferret|8 years ago|reply
They could act as the 'go between' for the SaaS or manufacturer, as well as protect the privacy (and possibly identity) of the bounty hunters. The BBaaS could have tried and tested boilerplate terms and conditions for both parties, as well as handle the reward payouts and filing/validating of reports.
[+] [-] caio1982|8 years ago|reply
[+] [-] LeifCarrotson|8 years ago|reply
Anyway, the short of it is the unsurprising fact that when DJI was pressed to actually deliver the money, instead of offering the bug bounty they promised, they instead used their lawyers and the CFAA to try to attack and silence the author.
[+] [-] baud147258|8 years ago|reply
Myself, I'd say if you are not much interested in bugs bounty, it's not worth reading, it's just mostly drama between the writer and DJI.
[+] [-] wingerlang|8 years ago|reply
[+] [-] confact|8 years ago|reply
[+] [-] jwilk|8 years ago|reply
[+] [-] optimuspaul|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] pbhjpbhj|8 years ago|reply
EFF?
[+] [-] Cthulhu_|8 years ago|reply
[+] [-] tgsovlerkhgsel|8 years ago|reply
[+] [-] lathiat|8 years ago|reply
They understand what constitutes reasonable, necessary and/or expected by both the security communities AND company/legal and can work as a party to both sides with standard agreements, suggestions, etc.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] unknown|8 years ago|reply
[deleted]