Drone maker DJI in cyber-security row over bug bounty

Drone maker DJI has accused a cyber-security researcher of hacking its servers.

Kevin Finisterre claims that he accessed confidential buyer information after discovering a personal key publicly posted on code-sharing web site Github.

He approached the agency, which gives a “bug bounty” reward of as much as $30,000 (£23,000) for safety weaknesses found in its techniques.

DJI mentioned the server entry was “unauthorised”.

The info Mr Finisterre was capable of see included “unencrypted flight logs, passports, drivers licences and identification playing cards”, he mentioned.

Regardless of initially providing him the cash, in a press release DJI has now accused Mr Finisterre of refusing to conform to the phrases of its bug bounty programme “that are designed to guard confidential information and permit time for evaluation and determination of a vulnerability earlier than it’s publicly disclosed”.

It added: “DJI takes information safety extraordinarily significantly, and can proceed to enhance its merchandise because of researchers who responsibly uncover and disclose points that will have an effect on the safety of DJI consumer information and DJI’s merchandise.”

It added that it might proceed to pay bug bounties in change for reviews.

Mr Finisterre, an unbiased safety researcher, mentioned DJI tried to make him signal a non-disclosure settlement.

He additionally printed an e mail from DJI telling him that safety points with servers have been included within the bug bounty programme.

‘Freedom of speech’

He mentioned it was virtually a month after he despatched his report earlier than the complete phrases have been shared with him, and that he believed they “posed a direct battle of curiosity to many issues together with my freedom of speech”.

One of many clauses acknowledged that he couldn’t publicly disclose his analysis with out written consent from DJI, in keeping with emails from the agency he has published in his report.

Usually, safety researchers will share their findings with an organization, give the agency a time-frame during which to repair recognized bugs, after which publish their work.

The bug bounty scheme is obtainable by many massive tech corporations as an incentive for folks to share safety weaknesses slightly than exploit them.

Cyber-security professional Prof Alan Woodward from Surrey College mentioned DJI’s actions have been “outrageous”.

“Cyber-security is a kind of areas the place there is no such thing as a authorities organisation or central physique or requirements company holding these folks to account. It is moral hackers and safety researchers,” he mentioned.

“The general public has a proper to know when there is a safety downside.”

Printed at Mon, 20 Nov 2017 14:06:06 +000zero