Chinese tech company DJI is at the centre of a row with a cyber security researcher, who the firm believes hacked into its servers to benefit from a “bug bounty” of up to $30,000.
Kevin Finisterre claims that he found a public key that allowed him access to confidential customer data, including unencrypted flight logs, passports, drivers licences and identification cards.
DJI offers a bug bounty reward for any security weaknesses discovered in its systems.
Despite initially offering the reward to independent security researcher Finisterre, DJI then refused to agree to the terms of the bug bounty claiming that the server access was “unauthorised”.
In a statement, DJI said: “DJI takes data security extremely seriously, and will continue to improve its products thanks to researchers who responsibly discover and disclose issues that may affect the security of DJI user data and DJI’s products.”
The company added that it would continue to pay bug bounty rewards in exchange for reports.
Finisterre claims that DJI tried to make him sign a non-disclosure agreement, and that it was almost a month after he sent the report to the company before the full terms were shared with him, which he said “posed a direct conflict of interest to many things including my freedom of speech.”
“Cyber security is one of those areas where there is no government organisation or central body or standards agency holding these people to account. It’s ethical hackers and security researchers,” commented cyber security expert Professor Alan Woodward from Surrey University.
“The public has a right to know when there’s a security problem.”