As is already the case in many international companies, we are talking, for example, of companies such as Microsoft, Amazon, Google, Facebook ..., DJI decided to launch a platform through which, in a very simple way, any person external to the company who detects a problem or failure that may affect the safety of any consumer of its products, could report it and receive a reward in return.
As we are used to seeing, we are talking about a very tempting and interesting initiative for many advanced users capable of detecting this type of problem since, at the same time they normally receive a economic reward very interesting that makes them continue working on this type of findings, the company can significantly improve the security of your services, especially those that affect certain private data of its clients such as their personal information, photos, videos or flight records.
DJI threatens a user who asked for his reward after finding a security flaw in his servers
At this point I want to talk to you about the case of Kevin Finisterre, a software engineer who was able to detect a security flaw in DJI's servers that allowed him to access private customer information. The problem was that the company inadvertently released the private key of the SSL certificate they used and the AES key used to sign the authenticity of the firmware updates of your drones.
Kevin Finisterre, realizing this error, decided to write to DJI and ask if their servers are within the scope of the reward program when identifying failures to which the DJI itself replied with a Si. With this answer he began to investigate and discovered that the private key of your digital certificate was in a Github repository for more than four years and that some of your accounts on Amazon Web Service were marked as public so any user could have access to thousands of files, invoices, photos of people ...
With this investigation, Kevin Finisterre began to gather information and make hundreds of reports, one investigation that ultimately resulted in around 130 emails to DJI detailing the security problems it had found on its servers. DJI's response was to indicate that the servers were no longer in the bounty program. although, shortly after, he received an email indicating that he had obtained the highest position in terms of rewards, which led him to win U.S. dollar 30.000.
Shortly after, he received an email with a contract that required him to not discussing details of the work you had done publicly while forcing him to say they hadn't done any security work for DJI in any moment. Shortly after was the DJI legal department the one who contacted him to force him to destroy all information and data discovered during the investigation if he did not want to face legal charges.