DJI Offers $30K In Bug Bounty Program Then Threatens To Sue Cybersecurity Researcher

Bug bounty programs have become common in the tech industry, with companies offering money to white hat hackers who will then find security problems for them. DJI did the same thing in August, which resulted in a security researcher finding a severe security flaw in its system. After reporting the discovery of this issue, however, the transaction devolved and now, DJI is threatening to sue him.

The security researcher in question is Kevin Finisterre and he has actually done research for DJI in the past, The Verge reports. In this latest kerfuffle, everything began as normal. The researcher tried to find vulnerabilities in DJI’s system and he did. He then reported this to the company, who then offered to pay him $30,000.

Unfortunately, DJI added the stipulation that Finisterre kept his involvement in the project under wraps and not disclose his findings to the public. This is where the problem comes in.

For a security researcher, being able to claim such an achievement is worth as much or more than the bounty that DJI was offering. The fact that he was prohibited to share his work on the program would deprive him of adding to his value as a white hat hacker. To add insult to injury, the company also referenced the Computer Fraud and Abuse Act in a letter sent to Finisterre, which he took as a threat.

In the end, Finisterre decided that it would be better for him to reject the money and go ahead with publicizing his findings. He did so in a long essay, which also contained details on the rift with DJI.

Companies wanting to keep security flaws a secret is understandable, which is why Apple prefers to do its own security research with its own people. By hiring third-party hackers to do its work for them, however, DJI was basically working with people who also had their reputations to consider.