Security researcher gives up $30,000 bug bounty after DJI allegedly threatened legal action

DJI in August launched a bug bounty program to reward security researchers for reporting vulnerabilities. Depending on the severity of the problems reported, individuals are eligible for rewards ranging from $100 to $30,000.

Just four days after the program launched, researcher Kevin Finisterre initiated contact with DJI to report a severe issue. DJI's SSL certificates and AES encryption keys were exposed on GitHub, rendering the encryption useless until new keys could be created and new certificates issued.

According to Finisterre, DJI stated that the reported vulnerability was covered under the bug bounty program. After a fairly lengthy exchange of e-mails, demands for strict confidentiality agreements were made by DJI. The agreements were said to prevent Finisterre from publicly taking credit for reporting the vulnerabilities disclosed. For security researchers, receiving recognition can be just as valuable as a monetary reward.

In order to claim the reward, Finisterre would have had to sign what he considered an unfair contract that offered no protection from future legal action against him. DJI also sent him a threat of charges under the Computer Fraud and Abuse Act.

After talking with multiple lawyers, he decided to walk away from the deal and made his findings public. Feel free to read through his full disclosure essay and draw your own conclusions.

Bug bounty programs are typically designed with an agreement already in place regarding how reports need to be handled to maintain eligibility for a monetary reward. DJI made the mistake of not having a complete agreement already in place at the time the bug bounty program was launched, leading to strong backlash from industry professionals.