SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

DJI, Researcher in Bug Bounty Row

November 20, 2017

DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users.

As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.

DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.

DJI takes data security extremely seriously, and will continue to improve its products thanks to researchers who responsibly discover and disclose issues that may affect the security of DJI user data and DJI’s products. DJI has paid thousands of dollars to almost a dozen researchers who have submitted reports to the Security Response Center and agreed to the terms for payment. As the Security Response Center receives new reports, DJI regularly agrees to pay new bounties to researchers for their discoveries

DJI Bug Bounty Program Policy

The DJI Bug Bounty Program (the “Program”) and DJI Security Response Center encourage security researchers to contribute to our ongoing efforts in strengthening our data security by responsibly detecting potential vulnerabilities.

By participating in this Program and submitting a vulnerability report to the DJI Security Response Center, you acknowledge that you have read, understood, and agree to be bound by the following terms and conditions:

Scope of the Program

All products and services provided by DJI, including all websites, applications, services, software, firmware, hardware, systems owned, operated or controlled by DJI (“DJI Products and Services”).

  • Websites include *.dji.com, skypixel.com, djicdn.net, detcms.com, djivideos.com, dji.net, robomaster.com, djiservice.org and other websites provided or operated by DJI.
  • Applications include DJI GO App, DJI GO 4 App, DJI Assistant, DJI Assistant 2, DJI Store App, GS Pro App, XT Pro App and other applications provided by DJI.
  • Hardware includes Phantom 3 series, Phantom 4 series, Mavic series, Spark series, Inspire1 series, Inspire2 series, OSMO series, Ronin series, MG series, M series, flight controllers and other products manufactured or provided by DJI.

Out of Scope

The following products, services, and vulnerabilities are outside the scope of the Program:

  • Products and services no longer produced, maintained, or sold by DJI, including outdated or unpatched applications, services, software, firmware;
  • Third-party websites or services, including third party software incorporated in DJI applications;
  • Bugs that simply cause an app to crash;
  • Attacks against DJI infrastructure;
  • Attacks requiring physical access to a user's device;
  • Vulnerabilities dependent upon social engineering techniques (e.g. shoulder attack, stealing devices, phishing, fraud, stolen credentials) and physical attacks;
  • Denial of service attacks that require large volumes of data;
  • Network Provisioning errors;
  • Violation of licenses or other restrictions applicable to any vendor's product;
  • Security bugs in third-party applications (e.g. java, plugins) or websites;
  • Host header injections (unless you can show how they can lead to stealing user data);
  • Self-XSS (User defined payload);
  • Login/logout CSRF;
  • Use of a known-vulnerable library (without evidence of exploitability);
  • Vulnerabilities affecting users of outdated browsers or platforms;
  • Vulnerabilities which require a jailbroken or rooted mobile device;
  • Vulnerabilities affecting users of outdated browsers or platforms.

Your Eligibility and Responsible Disclosure

To be eligible for this Program, you are required to observe the following requirements:

  • You are not the author of the code with your reported vulnerability;
  • You are not employed by DJI directly or indirectly, or an immediate family member of a DJI employee;
  • Your activities are limited to detecting and discovering a potential vulnerability that is within the scope of the Program which may compromise the confidentiality or integrity of DJI user and company information;
  • You must not significantly compromise flight safety or public airspace security during the detecting and discovering process.
  • Information in connection with this Program must be kept confidential. You may not disclose, distribute or demonstrate the vulnerability to any third party or publicly without DJI’s prior written consent;
  • You do not make use of or exploit the vulnerability for any reasons to further probe additional security issues;
  • You do not interact with DJI users’ individual account other than your own testing account without consent of the account owner, including accessing, obtaining or modifying data of such account, or violating or disrupting others' privacy;
  • You do not download, export or store DJI’s data under any circumstances. If you unintentionally or otherwise download, export or store exfiltrate DJI’s data, you will inform DJI and promptly destroy all copies of such data in your possession;
  • You do not for any reason disrupt others’ use of DJI Products and Services, including the destruction of data, or interruption or degradation of our services. If you act in good faith and accidentally cause such damage during your research, please let us know.
  • You do not otherwise violate any local, state, national, or international law.

Bug Reporting Guidelines

  • You need to create a testing account or register for a DJI account to submit your report.
  • Report Formality. When you discover the bugs, please submit a report to DJI by using the DJI Bug Reporting template (the “Report”), following the instructions in the template and include a detailed description of the bugs or vulnerabilities from which we are able to reproduce the issues and fix them:
  • Please submit the Report online at https://security.dji.com/report. DJI may contact you to confirm the details of your discoveries. By sending the Report, you consent to these DJI Bug Bounty Program terms.
  • We appreciate reports that are submitted in a timely manner. DJI may increase the reward for more efficient report from researchers.
  • We take every report and the reported bugs/vulnerabilities seriously. Please allow DJI a reasonable period of time to investigate your report and confirm the situation before replying to you substantively.

Bounty Reward

If you are eligible under this Program, DJI may grant to you a monetary reward, determined by DJI at its sole discretion, based on the risk and impact of the reported vulnerability. Rewards will be granted to the first person to discover and report the bug and help to fix such, as determined by DJI. The payment maybe made in United States dollars (USD) or other currencies which DJI deems appropriate. The range of the reward will be from $100 USD to $30,000 USD. DJI may make a partial payment when we receive your report and verify the issue, and additional payment maybe make after the vulnerability has been fixed. You will be responsible for any tax therein occurs.

For more information regarding factors in determining the bounty amounts, please refer to our Reward Amounts and Vulnerability Sensitivity page here.

Identity Publication and Protection

DJI recognizes the significant contributions from security researchers, and we are happy to see that researchers are publicly recognized for their cooperative efforts. DJI may display the names of certain security researchers on DJI Wall of Security Contribution or other media, with the researchers’ prior consent. DJI has the right to remove the name of any person who is later found not eligible for this Program from the DJI Wall of Security Contribution

Waiver and Release

By participating in this program and abiding by these terms, DJI grants you limited “authorized access” to its systems under the Computer Fraud and Abuse Act in accordance with the terms of the program and will waive any claims under the Digital Millennium Copyright Act (DCMA) and other relevant laws. Furthermore, if you conduct your security research and vulnerability disclosure activities in accordance with the terms set forth in this policy, DJI will take steps to make known that your activities were conducted pursuant to and in compliance with this policy in the event of any law enforcement or civil action brought by anyone other than DJI.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-DJI entity (e.g., third party software), that third party may independently determine whether to pursue legal action or remedies related to such activities. DJI cannot and does not authorize such security research or vulnerability disclosure activity for non-DJI entities. DJI does not authorize, permit, or otherwise allow (expressly or impliedly) any person to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with the terms of this program.

DJI’s Right to Disclose

DJI understands the importance of public disclosure of unknown or novel security flaws to build a common base of knowledge within the security community and to build a safer internet. DJI is committed to disclosing such information to the fullest extent possible. However, DJI in its sole discretion will decide when and how, and to what extent of details, to disclose to the public the bugs/vulnerabilities reported by you.

Termination

If you violate any provision of these Terms, you will be automatically disqualified from this Program, including your eligibility for receiving any bounty rewards from DJI.

Confidentiality

Any information you receive or collect through or in connection with your participation in this Program (“Confidential Information”) must be kept confidential and only used in connection with this Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Report and information you obtain during your research.

Indemnification

You are responsible for your Report, your breach of these Program Terms and/or your improper use of this Program. You will defend and indemnify DJI and its officers, directors, employees, consultants, affiliates, subsidiaries and agents (together, the “DJI Entities”) from and against any and all claims, liabilities, damages, losses, and expenses, including reasonable attorneys' fees and costs, arising out of or in any way connected with: (a) your Report; (b) your violation of any portion of these Terms, any representation, warranty, or agreement referenced in these Terms, or any applicable law or regulation; (c) your violation of any third-party rights, including any intellectual property right or publicity, confidentiality, other property, or privacy, right; or (d) any dispute between you and any third party; (e) your improper use of this Program. We reserve the right, at our own expense, to assume the exclusive defense and control of any matter otherwise subject to indemnification by you (without limiting your indemnification obligations with respect to that matter), and in that case, you agree to cooperate with our defense of that claim.

Changes to Program Terms

DJI reserves the right to modify or discontinue this Program at any time, temporarily or permanently, without notice to you. We will have no liability whatsoever on account of any change to this Program or any suspension or termination of your continued participation in the Program.

Contact information

If you have any inquiries regarding the Program (except for submitting a Report), please contact us at bugbounty@dji.com.

DJI Vulnerabilities Rating Guideline

General Principles

DJI evaluates reported vulnerabilities based on its level of severity (critical, high, moderate, low and out of scope), and extent of impact (servers, apps and/or products).

In cases where a reported vulnerability involves multiple levels of severity or a wider extent of impact, DJI would rate such vulnerabilities at the higher level.

DJI will reward responsible security researchers according to the Vulnerabilities Rating Guidelines and Bug Bounty Program Policy outlined on this page.

Exclusion

Vulnerabilities that present negligible security impact or are exploited to conduct a malicious attack against DJI will not be recognized or rewarded.Common examples may include, but are not limited to, the following:
1.Vulnerabilities were discovered by conducting an attack against DJI employees, clients and/or partners, or referring to social engineering techniques (e.g. shoulder surfing, stealing devices, phishing, fraud, stolen credentials);
2.Vulnerabilities which require a rooted or jailbroken movable device to make actual impact;
3.Vulnerabilities within DJI’s lab, staging environments or sandbox;
4.System vulnerabilities irrelevant to security issues.

Vulnerabilities Rating Guideline - Servers

Vulnerabilities Rating Guideline - Apps

Vulnerabilities Rating Guideline - Products

V1.0,Last Updated: November 16, 2017

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement