"In the days following no less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it."<p>The whole article sounds like a mishmash of incompetence, being unprepared, and having a legal team not really interested in having a robust or even good bounty program. Basically a bounty program driven by Marketing and/or Legal to be able to say "we take bugs seriously" rather than by Engineering with an interest in actually getting problems resolved.
TL;DR: DJI rolled out a bug bounty program from $100-$30,000 but it was vague and poorly executed. Author found AWS keys and subsequent data, to which DJI responded with onerous legal terms and threats. After many weeks of back and forth, author walked away.
Sounds like DJI kicked off a bounty program and didn't have their ducks in a row on setting bounty scope, legal terms, or process.
Researcher found PII leaks and keys to some pretty sensitive stuff, and DJI didn't know how to respond.<p>After DJI dragging it out for weeks, giving overly broad terms, and sending a poorly crafted CFAA threat (which in charitably interpreted was just to ensure he deleted any sensitive material), researcher walked away after being frustrated by the time sink.
Being stingy with big bounty money seems so shortsighted - if you are going to have a B.B. program and encourage people to suss out exploits, why would you then want to piss those people off? It’s not like there isn’t a completely separate market out there for the same exploits run by people you’d collectively refer to as “the enemy”.
Freelance pentesting in a nutshell:<p><pre><code> 1. Research and find vulnerabilities
2. Apply for bounty
3. Parry legal threats
4. Exit empty-handed</code></pre>
tldr:<p>DJI started a bug bounty program, but mismanagement and dick moves ended up costing a guy a deserved 30k bounty.<p>longer tldr:<p>The problems found revealed they were in fact in desperate need of the help.<p>The program was managed poorly. DJI had a chance to correct the situation, but instead acted in bad faith to researchers who had went out of their way to help them, even threatening leagal action for no good reason.<p>The guy legit earned the 30k bounty, but effectively had no way to get the money due to legal threats and/or requirements to sign draconian restrictive legal documents.<p>Important subject, interesting story, takes forever to get to the point. Reads like this was partially due to the guy having no sleep and being worn down after a long period of emotional exasperation.
I remember reading recently that the U.S. military had to ground all DJI drones they had in inventory because of suspected hooks in the software and I was thinking it was just malicious backdoors, interesting to see there's a bit more of Hanlon's razor in there too.
Fck, man. I was fired from DJI because of all that story. I was nowhere connected to things you found and privacy disclosure. I just had a small repository with and unreal engine plugin to use open source exif library inside our internal project.<p>But on the other hand, really thank you, working in DJI is not so good anyway.
From DJI's perspective I think they don't have experience with bug bounties so the legal team drafted something not expecting a fight, especially when they offered 30k. Seeing the back-and-forth on legal terms queued them that maybe the author did have malicious intent to harm the reputation of DJI (whether that's a good argument or not is out of scope.) and because of that the legal team turtled. DJI wanted the author to sign the papers, take the money and shut up. The author wanted to sign the papers, take the money, and advertise the hack.
Clauses that he considered limiting to his freedom of speech seemed quite reasonable to me but then I remembered he's active in the drone jailbreaking scene so they do interfere with that.
Is there not an official standard / "best practices" document for what each party should follow with bug reporting / bounty procedures? Something that anyone in a company that's starting a bug bounty program can point their legal department to, and say: "here's what amazon and google and X and Y and Z follow, so we should do the same"? From the security researcher perspective, there's the responsible disclosure stuff. But not much from the other side, AFAIK.
Here's another DJI story which demonstrates their incompetence.
At EAA Oshkosh 2017 (the premier event of the year for private pilots and experimental aircraft fans of every stripe), DJI had set up a large tent to show off their newest drones. I walked in and asked to see a demo. Mind you, they had an outdoor flying area adjacent to the tent that was fully enclosed with netting. There was no way a drone could have escaped.<p>"Can't do a demo," the DJI rep said. "We're waiting on a firmware upgrade from China. None of the drones are working."<p>"Um, why?" I asked.<p>"Because the firmware in the drones contains a database of all known aircraft control towers and every drone has GPS. When it sees the drone is within [a few] miles of a control tower, it shuts down the drone. And right now we're only about 100 feet from a control tower."<p>"But you're inside a netted enclosure?"<p>"The firmware doesn't know that. The new firmware we're waiting on includes an exception for this location."<p>I don't know if the upgrade ever arrived, but this episode taught me I don't want a DJI product. DJI probably lost hundreds of thousands of dollars in sales because of that boneheaded move.
Almost a case here for someone to start up a BBaaS (Bug Bounty as a Service)?<p>They could act as the 'go between' for the SaaS or manufacturer, as well as protect the privacy (and possibly identity) of the bounty hunters. The BBaaS could have tried and tested boilerplate terms and conditions for both parties, as well as handle the reward payouts and filing/validating of reports.
In many ways I believe this the value of HackerOne (they effectively administer bug bounties on behalf of other companies).<p>They understand what constitutes reasonable, necessary and/or expected by both the security communities AND company/legal and can work as a party to both sides with standard agreements, suggestions, etc.
It's not clear to me that OP has consulted a lawyer about this. IANAL, but the question here is not whether the servers are/were in-scope, but whether DJI agreed to pay him $30,000 and then later made it a condition that he sign a contract to get the payment. I hate to be that guy, but it seems like a letter from a lawyer threatening legal action may change this conversation completely.<p>Edit: Please take a look at my comment below before downvoting?