
Walking away from $30,000 of DJI bounty money [pdf] - druml
https://regmedia.co.uk/2017/11/16/whyiwalkedfrom3k.pdf
======
fencepost
"In the days following no less than 4 lawyers told me in various ways that the
agreement was not only extremely risky, but was likely crafted in bad faith to
silence anyone that signed it."

The whole article sounds like a mishmash of incompetence, being unprepared,
and having a legal team not really interested in having a robust or even good
bounty program. Basically a bounty program driven by Marketing and/or Legal to
be able to say "we take bugs seriously" rather than by Engineering with an
interest in actually getting problems resolved.

~~~
ryandrake
It's almost as if they decided to do this without remembering to tell their
lawyers what a Bug Bounty program is.

Every time I read a story about a company bumbling their way through some
obviously poorly conceived PR problem (see also: Logitech's recent
announcement that they'll be bricking one of their products), I think to
myself, "What on earth was that meeting like?" You know, the meeting where
they are supposed to plan what to say, how to say it, what actions to take
when, what contingency plans, etc. Those things that grown-up companies do
when they interact with their customers or the public. I mean, was it really
as incompetent as, "I know, let's offer a bug bounty, and then threaten legal
action against people who participate! That will surely help our image!" Was
there not one person around that conference room who thought to raise their
hand and say, "Now hang on a minute--we might not be thinking this through..."

~~~
fencepost
Perhaps I've just gotten cynical as I aged, but I find that I'm a lot less
willing to ascribe things like this to Hanlon's Razor[0] than I used to be.

[0] Variations on "Never ascribe to malice that which is adequately explained
by stupidity."

~~~
Xylakant
Sufficiently advanced incompetence is indistinguishable from actual malice.

I'm still willing to accept that the root cause is often not actual malice,
but I don't actually care if the damage is done because somebody wanted to
inflict it or just ignored all warnings and forged ahead, no matter the cost.
The damage done to others is the same.

~~~
staticautomatic
Interestingly, "the law" in the U.S. generally agrees with you, insofar as it
tends to put "reckless disregard" in the same category as malice.

~~~
otakucode
In technical fields (notably very much not including anything involving a
computer or software) there is also 'criminal negligence'. In things like
construction, if the executives ignore and disempower the engineers and put
business goals ahead of things like structural integrity or safety of the
public, those executives go to prison. I'm not sure how much longer that will
remain absent from anything computer-related but thus far companies can
straight up kill people out of bold aggressive negligence of this sort and the
courts just shrug their shoulders. We saw that with Toyota and their
"unintended acceleration" killings. Multiple bodies, but when charged with
criminal negligence, the courts basically said 'its computers, nobody knows
how they work.'

It didn't matter that Toyota lied and claimed their cars computers used error
correcting RAM but they cheaped out and saved a fraction of a cent on each car
by using non-error-correcting RAM. It didn't matter that their developers
didn't even have access to a bug tracker. It didn't matter that they didn't
have access to static analysis tools (which when used on the code afterward
found the problem instantly). It didn't matter that the automotive industry
has 90+ practices recognized as "required" or "recommended" and Toyotas code
followed only 4 of them.

There is literally no degree of negligence which is great enough to cause a
court (in the US anyway) to judge a corporation as having been criminally
negligent if a computer or software is involved. And it's reflected in the
established business practices of most companies. They hire the cheapest
"labor" they can find, deprive them of the tools and work environment needed
to do their job competently, ignore any warnings about safety, security,
correctness, or other technical issues in deference to business goals, etc.

And it'll be the worst of the worst who gets a fully autonomous car on the
market and careening down your street first. And when it hits your car or
(hopefully not) your kid - the company will skate away absolutely unscathed.

~~~
staticautomatic
Criminal negligence is, indeed, rare in the courts. However, in civil cases
there's still regular old negligence, gross negligence, and in some states,
"active negligence," not to mention all the other causes of action which can
put punitive damages on the table.

------
ukulele
TL;DR: DJI rolled out a bug bounty program from $100-$30,000 but it was vague
and poorly executed. Author found AWS keys and subsequent data, to which DJI
responded with onerous legal terms and threats. After many weeks of back and
forth, author walked away.

~~~
mcguire
DJI? The drone maker?

~~~
jwilk
Yes: [https://www.dji.com/newsroom/news/dji-to-offer-bug-bounty-
re...](https://www.dji.com/newsroom/news/dji-to-offer-bug-bounty-rewards-for-
reporting-software-issues)

------
spydum
Sounds like DJI kicked off a bounty program and didn't have their ducks in a
row on setting bounty scope, legal terms, or process. Researcher found PII
leaks and keys to some pretty sensitive stuff, and DJI didn't know how to
respond.

After DJI dragging it out for weeks, giving overly broad terms, and sending a
poorly crafted CFAA threat (which in charitably interpreted was just to ensure
he deleted any sensitive material), researcher walked away after being
frustrated by the time sink.

~~~
Bartweiss
Honestly, it looks like DJI was hoping for a 'soft launch', getting a few tame
bugs and negotiating with researchers to hammer out details. (Or framed more
cynically, using the researchers as unpaid advisors on how to set up a bounty
program.)

Instead, they got a stack of catastrophic, maximum-severity issues right away
and panicked.

------
chakalakasp
Being stingy with big bounty money seems so shortsighted - if you are going to
have a B.B. program and encourage people to suss out exploits, why would you
then want to piss those people off? It’s not like there isn’t a completely
separate market out there for the same exploits run by people you’d
collectively refer to as “the enemy”.

~~~
sandworm101
The problem with such negotiation is that at the moment someone even describes
the bug they have found, they eliminate the possibility of selling to anything
other than the BB program. If you describe your bug to them, but then the BB
negotiations go south and you walk away, you are a suspect in any future
exploit of that bug. So the BB program knows that they have the researcher on
the hook from the moment he makes contact.

~~~
supergreg
What about publicly announcing it so anyone can make the exploit?

~~~
dingo_bat
Or announce it publicly and then hack them yourself.

~~~
pc86
Also known as "commit multiple felonies."

~~~
gatmne
I'd call it plausible deniability.

~~~
pavel_lishin
I'd also delete that comment, as it might harm any future legal defense.

~~~
pbhjpbhj
On the web there is no delete!

~~~
mkagenius
fun thread

------
jstewartmobile
Freelance pentesting in a nutshell:

    
    
       1. Research and find vulnerabilities
       2. Apply for bounty
       3. Parry legal threats
       4. Exit empty-handed

~~~
logfromblammo
Alternately:

    
    
      1. Research and find vulnerabilities
      2. Notify company in good faith
      3. Parry legal threats
      4. Embargo for a reasonable amount of time
      5. Parry legal threats
      6. Publish report
      7. Parry legal threats
      8. Get academic prestige
      9. Parry legal threats
      10. Blog on emerging exploits
      11. Parry legal threats
    

Another option:

    
    
      1. Research and find vulnerabilities
      2. Sell on black market
      3. Get paid, possibly several times
      4. Die in suspicious car crash

~~~
legohead
The situations could be avoided if the "security researchers" would ask
permission first, or simply deal with companies who have an established (and
validated) bounty program.

~~~
jstewartmobile
Made the original comment because my friends who do this professionally for a
fortune 500 company share the same tales of woe--that would probably end just
as badly if they weren't operating under the safety of a corporate megabucks
legal department.

------
WhitneyLand
tldr:

DJI started a bug bounty program, but mismanagement and dick moves ended up
costing a guy a deserved 30k bounty.

longer tldr:

The problems found revealed they were in fact in desperate need of the help.

The program was managed poorly. DJI had a chance to correct the situation, but
instead acted in bad faith to researchers who had went out of their way to
help them, even threatening leagal action for no good reason.

The guy legit earned the 30k bounty, but effectively had no way to get the
money due to legal threats and/or requirements to sign draconian restrictive
legal documents.

Important subject, interesting story, takes forever to get to the point. Reads
like this was partially due to the guy having no sleep and being worn down
after a long period of emotional exasperation.

~~~
otakucode
What depresses me about it is that many people, probably even many of the
authors colleagues and readers here, do not feel that he has any right to that
money. There are suggestions that even the author himself does not feel he has
earned it. This is a pretty big philosophical problem, but it's very
worrisome. At least in certain cultures, people are willing to take
significant personal losses just to prevent someone else from "getting a
windfall". There is even behavioral research about this tendency, the
'Ultimatum Game' research is pretty much centered around it.

I agree with you entirely, he earned the $30k bounty and DJI is both morally
and, one would hope, legally culpable in trying to defraud him of $30k. While
it sounds like a great deal of money for "not much work" (we are, I suppose,
to take the extensive education and experience utilized as something that
appears from the ether and one is simply anointed with, unearned), it is
really a paltry sum when considered reasonably. How much money has DJI saved
by not hiring staff capable of building the system correctly in the first
place? How much money would DJI make from retaining the lucrative clients that
will hopefully drop them like a hot potato when they learn of this bungled
exposure of just how little they care about security? (I am guessing that
those .gov clients and any similar will be hearing from their engineers and
getting this document passed up the chain soon. And I don't know about DJI
specifically but at least in the US most companies rely upon the government as
their largest customer.) $30k for the work performed, and the consequences if
handled only as honestly as a child on a playground who makes a promise and
feels bound by it, is a stupendously tiny amount of money. And yet, DJI is so
shortsighted, mean, and cheap that they're not even capable of honoring the
agreements they freely made of their own accord.

Do you think anyone at DJI simply thought that their systems were secure and
no significant bugs would be found? If so... what are those people thinking
now?

~~~
WhitneyLand
yeah, with a bounty program, i think you’re allowed to fix all the easy ones
you want, before announcing the program right?

does logic not force us to admit one of these must be true: Either here are no
easy ones, or a company didn’t invest in fixing the easy ones before
announcing the program?

if we’re forced to admit that, how can this guy be criticized?

------
GCU-Empiricist
I remember reading recently that the U.S. military had to ground all DJI
drones they had in inventory because of suspected hooks in the software and I
was thinking it was just malicious backdoors, interesting to see there's a bit
more of Hanlon's razor in there too.

~~~
fencepost
It almost seems like you might be better off taking the bugs found to the US
military or intelligence agencies to see if you can get bounties from them
instead.

Of course, that puts you in a position of interacting with the US government
on security research.

~~~
Cthulhu_
I'm actually fairly sure this happens; there's a big underground market for
selling exploits, and I'm sure the NSA and other international intelligence
agencies are some of the major buyers.

The bug bounty programs are basically a counteroffer to those.

~~~
Bartweiss
Aboveground, even - I've seen claims that brokers will allow seller's
discretion on where exploits can go. (E.g. "NATO only".) Northrup-Grumman,
Raytheon, and Lockheed are commonly listed as zero day buyers. Presumably
those channels either get passed on to American intelligence, or used
defensively to make a "safer than the competition" claim.

It's certainly fairly overt, though I don't know the legal standing. Whether
or not a researcher broke CFAA in _finding_ a bug, is describing it to a third
party a criminal act?

~~~
willstrafach
CFAA would apply only if the bug involved unauthorized access to the company’s
servers (The violation being the researcher accessing them to validate).

The zero days you refer to would instead be vulnerabilities in software which
a researcher would test against local software / hardware they own, not only
for legal reasons, but also because actively probing a web server can set off
alarm bells (Making access less useful after validation).

------
alkrieger
Fck, man. I was fired from DJI because of all that story. I was nowhere
connected to things you found and privacy disclosure. I just had a small
repository with and unreal engine plugin to use open source exif library
inside our internal project.

But on the other hand, really thank you, working in DJI is not so good anyway.

~~~
dkersten
> I was nowhere connected to things you found and privacy disclosure. I just
> had a small repository with and unreal engine plugin to use open source exif
> library inside our internal project.

How were you fired because of that story?

~~~
rasz
I can totally see this happening. In China truth doesnt exist, there is only
illusion of truth propped by guanxi/mianzi.

Carpet bombing all DJI github repos and openly accessible employee projects is
something I would expect from Chinese company trying to pretend whole thing
never happened.

~~~
dkersten
Ah... that sucks

------
ColanR
Sounds like they got the report for free. Maybe the incompetence was just a
way of getting out of paying the bounty.

~~~
oxguy3
I would hope they're not dumb enough to think that's a good idea. That trick
only works once.

~~~
ColanR
We wish...it 'only works once' if the linked article prevents anyone from
submitting bugs again.

------
matthewaveryusa
From DJI's perspective I think they don't have experience with bug bounties so
the legal team drafted something not expecting a fight, especially when they
offered 30k. Seeing the back-and-forth on legal terms queued them that maybe
the author did have malicious intent to harm the reputation of DJI (whether
that's a good argument or not is out of scope.) and because of that the legal
team turtled. DJI wanted the author to sign the papers, take the money and
shut up. The author wanted to sign the papers, take the money, and advertise
the hack.

~~~
emmab
> maybe the author did have malicious intent to harm the reputation of DJI

In the context of a bug-bounty program, it's not malicious to "harm the
reputation" of the entity in question, it's malicious to attempt to profit off
the hack itself.

> The author wanted to sign the papers, take the money, and advertise the
> hack.

Of course! It's part of their portfolio.

It's common for security researchers to share details of a hack once it's been
fixed. It's not "malicious" to tell the truth.

------
curiousgal
Clauses that he considered limiting to his freedom of speech seemed quite
reasonable to me but then I remembered he's active in the drone jailbreaking
scene so they do interfere with that.

~~~
otakucode
Such clauses are basically impossible to enforce in the US. It's called 'Prior
Restraint' and courts look extremely poorly on it. You can forbid people from
lots of things, but forbidding them from saying certain things? You can do
that if you are the government yourself... and basically no one else.

~~~
uiri
The government explicitly _can 't_ restrict freedom of speech in the US. It is
the first amendment to the Constitution.

I'm not sure why you seem to think that e.g. non-disparagement clauses are
unenforceable in the US.

~~~
otakucode
How can you be unsure? I thought I explained it quite clearly. The courts look
very poorly upon prior restraint of free speech. Non-disparagement clauses in
employment contracts specifically are very dicey and difficult to make stick
in a court of law in the US. Here is an article about it... they can end up
being enforced, but it is unusual: [http://chernoff.law/non-disparagement-
clauses-can-really-enf...](http://chernoff.law/non-disparagement-clauses-can-
really-enforced/)

------
brodock
I think this is the value in using platforms like HackerOne vs trusting a
random half-backed bug bounty program someone made as crisis management.

------
makmanalp
Is there not an official standard / "best practices" document for what each
party should follow with bug reporting / bounty procedures? Something that
anyone in a company that's starting a bug bounty program can point their legal
department to, and say: "here's what amazon and google and X and Y and Z
follow, so we should do the same"? From the security researcher perspective,
there's the responsible disclosure stuff. But not much from the other side,
AFAIK.

------
dreamcompiler
Here's another DJI story which demonstrates their incompetence. At EAA Oshkosh
2017 (the premier event of the year for private pilots and experimental
aircraft fans of every stripe), DJI had set up a large tent to show off their
newest drones. I walked in and asked to see a demo. Mind you, they had an
outdoor flying area adjacent to the tent that was fully enclosed with netting.
There was no way a drone could have escaped.

"Can't do a demo," the DJI rep said. "We're waiting on a firmware upgrade from
China. None of the drones are working."

"Um, why?" I asked.

"Because the firmware in the drones contains a database of all known aircraft
control towers and every drone has GPS. When it sees the drone is within [a
few] miles of a control tower, it shuts down the drone. And right now we're
only about 100 feet from a control tower."

"But you're inside a netted enclosure?"

"The firmware doesn't know that. The new firmware we're waiting on includes an
exception for this location."

I don't know if the upgrade ever arrived, but this episode taught me I don't
want a DJI product. DJI probably lost hundreds of thousands of dollars in
sales because of that boneheaded move.

~~~
yongjik
It's too bad they couldn't update the firmware in time, but it sounds like
they did the responsible thing and built their drones to be safe. Do we really
need a drone with an easily flippable "Trust me, I know this is a no-fly zone
but I have made precautions to be perfectly safe!" switch?

~~~
vsl
It prevented me from flying at lower-than-trees altitude in a public park a km
or so away, perpendicularly to the approach axis, from rarely used sports
airfield... Another frequent occurence is the app threatening to brick the
drone if you don’t update the firmware by a given date. I get the intention,
but the nanny in these expensive things is overly powerful and often wrong.

------
cyberferret
Almost a case here for someone to start up a BBaaS (Bug Bounty as a Service)?

They could act as the 'go between' for the SaaS or manufacturer, as well as
protect the privacy (and possibly identity) of the bounty hunters. The BBaaS
could have tried and tested boilerplate terms and conditions for both parties,
as well as handle the reward payouts and filing/validating of reports.

~~~
jenskanis
Yes, someone already built that: hackerone.com (I worked there)

~~~
mkagenius
Triage people there are behaving like bots, lately.

~~~
TheTaytay
Can you elaborate? (Considering them over a competitor)

------
caio1982
Is this 18-pages-long PDF worth reading at such small font size at all? Honest
question.

~~~
LeifCarrotson
It's perfectly readable on a computer screen or printed paper, that's what PDF
is designed for. Are you on a mobile device?

Anyway, the short of it is the unsurprising fact that when DJI was pressed to
actually deliver the money, instead of offering the bug bounty they promised,
they instead used their lawyers and the CFAA to try to attack and silence the
author.

------
pbhjpbhj
Is the a place for a third-party bug reporting platform that can insulate
security researchers from the companies seeking the disclosures?

EFF?

~~~
Cthulhu_
IIRC Google had a program where they offered bounties for software packages
they don't own. I guess technically it's a third party?

------
lathiat
In many ways I believe this the value of HackerOne (they effectively
administer bug bounties on behalf of other companies).

They understand what constitutes reasonable, necessary and/or expected by both
the security communities AND company/legal and can work as a party to both
sides with standard agreements, suggestions, etc.

------
goldfeld
Because you don't have financial security concerns?

~~~
level
Probably, but contract issues could lead to a hefty legal bill as well.

------
gjem97
It's not clear to me that OP has consulted a lawyer about this. IANAL, but the
question here is not whether the servers are/were in-scope, but whether DJI
agreed to pay him $30,000 and then later made it a condition that he sign a
contract to get the payment. I hate to be that guy, but it seems like a letter
from a lawyer threatening legal action may change this conversation
completely.

Edit: Please take a look at my comment below before downvoting?

~~~
Raphmedia
> It's not clear to me that OP has consulted a lawyer about this

"I of course still needed to have a lawyer review the terms, even if they were
DJI’s final offer. In the days following no less than 4 lawyers told me in
various ways that the agreement was not only extremely risky, but was likely
crafted in bad faith to silence anyone that signed it." Page 17

~~~
gjem97
Ah, yes, missed that. My point about the agreement stands though. The email on
page 11 appears to state that they owe him $30,000, if he just provides some
demographic info. They then send him a contract weeks later, and use the
phrase "formalizing the terms ... [of] the reward payment" in order to try to
make it look like this is all part of the process. But this the start of a new
negotiation.

Edit: I'm getting downvotes on my comment above, and maybe it's because I
missed the part where he said he consulted a lawyer, but I have a suspicion
that it's because I suggested the threat of a lawsuit. I know we live (in the
US) in a overly litigious society, but my point is that the company is
(perhaps through disorganization or communication problems) trying to alter
the terms of an existing agreement. This is what contract and tort law is for.
Sometimes the threat of getting the courts involved can cause the other side
to see more clearly what is going on.

~~~
logfromblammo
Wherein they completely reneg on paying out the $30000 as previously promised.

Leaving the researcher with a pile of security research that is ostensibly
worth at least $30000 to _somebody_ , no contractual obligations to anybody,
and a possible "unclean hands" defense to any action DJI may subsequently
bring against him.

If I were employed by any intelligence TLA or drone/UAV manufacturer, I'd
already be at their door with warm smile and a briefcase full of cash.

~~~
grkvlt
Meh. The only entity this is worth USD 30k to is DJI, really. The issues found
were an exposure of personal information on their servers, not s backdoor into
the drone firmware or anything exciting like that, it seems. So no TLA
employees with briefcases of money ;( I guess criminals looking for identity
theft targets might have found it useful, too?

~~~
a_t48
If you have access into their AWS, it's possible that you could either
download the source yourself to find a backdoor (it was unclear if he had that
access) or if none exists, upload one yourself.

