"In the days following no less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it."
The whole article sounds like a mishmash of incompetence, being unprepared, and having a legal team not really interested in having a robust or even good bounty program. Basically a bounty program driven by Marketing and/or Legal to be able to say "we take bugs seriously" rather than by Engineering with an interest in actually getting problems resolved.
It's almost as if they decided to do this without remembering to tell their lawyers what a Bug Bounty program is.
Every time I read a story about a company bumbling their way through some obviously poorly conceived PR problem (see also: Logitech's recent announcement that they'll be bricking one of their products), I think to myself, "What on earth was that meeting like?" You know, the meeting where they are supposed to plan what to say, how to say it, what actions to take when, what contingency plans, etc. Those things that grown-up companies do when they interact with their customers or the public. I mean, was it really as incompetent as, "I know, let's offer a bug bounty, and then threaten legal action against people who participate! That will surely help our image!" Was there not one person around that conference room who thought to raise their hand and say, "Now hang on a minute--we might not be thinking this through..."
The road to hell is paved in good intentions. If I had to guess, a well meaning and experienced engineer or engineering leader proposed launching a legit bug bounty program. Maybe they pitched the idea to their boss, showing them hackerone or bugcrowd as an example. Everyone thought it was a good idea, but the further the concept shifted along in development and away from the original engineer, the less people understood what a bug bounty program actually is. By the time it gets through legal, and marketing, and the executive team, it turns into a downside protection effort rather than quality/security improvement effort. I have to imagine this is pretty common in large organizations that keep their departments siloed off from one another, reducing collaboration.
I think it's more probable that they had the right intentions in the beginning, but then realized how much money these vulnerabilities might cost to fix because they had no easy way to resolve them without recalls. So rather than fix the issues and lose millions of dollars they just tried to hide the them.
What you are seeing is a sort of 'tip of the iceberg' sort of phenomena. It is one of the multitude of consequences of in-person human interaction. Half-said half-understood notions, half of statements spoken being nothing more than jockeying for social status, precise language looked down upon as too severe so adapted into vague statements that people don't ask for clarification of for fear of looking stupid. Tall people and charismatic people most often getting their way. Introverts with factual points to raise demur and go unheard. Things drag on until someone with a forceful personality drive forward an idea through sheer dominance and beats aside any opposition.
And then you get a public action that looks nonsensical. Because the process that formed it was in every way NOT optimized to produce the objectively correct action. In-person interaction is a cancer on the workplace and always has been, though it was far less visible in workplaces where the majority of people were standing on an assembly line putting together the same widget every single day without thinking. In todays world, where mental work is the primary economic activity, it is unavoidable and tremendously destructive. We will look back with amazement on how long we permitted this to linger on for no reason other than the fear the management class has of being made irrelevant by the tools that coordinate and facilitate radically better coworker interaction and the fear of those with forceful personalities of being caught with their pants down when tested on their merits (not that they necessarily will fail on those merits, but personal fears like that are rarely well-founded or rational).
Get the „carismatic“ marketing and economy idiots out of businesses and build more intovert-engineer-founded companies :)
Even google was great back in times when they were less economist and marketing expert driven...
Sufficiently advanced incompetence is indistinguishable from actual malice.
I'm still willing to accept that the root cause is often not actual malice, but I don't actually care if the damage is done because somebody wanted to inflict it or just ignored all warnings and forged ahead, no matter the cost. The damage done to others is the same.
In technical fields (notably very much not including anything involving a computer or software) there is also 'criminal negligence'. In things like construction, if the executives ignore and disempower the engineers and put business goals ahead of things like structural integrity or safety of the public, those executives go to prison. I'm not sure how much longer that will remain absent from anything computer-related but thus far companies can straight up kill people out of bold aggressive negligence of this sort and the courts just shrug their shoulders. We saw that with Toyota and their "unintended acceleration" killings. Multiple bodies, but when charged with criminal negligence, the courts basically said 'its computers, nobody knows how they work.'
It didn't matter that Toyota lied and claimed their cars computers used error correcting RAM but they cheaped out and saved a fraction of a cent on each car by using non-error-correcting RAM. It didn't matter that their developers didn't even have access to a bug tracker. It didn't matter that they didn't have access to static analysis tools (which when used on the code afterward found the problem instantly). It didn't matter that the automotive industry has 90+ practices recognized as "required" or "recommended" and Toyotas code followed only 4 of them.
There is literally no degree of negligence which is great enough to cause a court (in the US anyway) to judge a corporation as having been criminally negligent if a computer or software is involved. And it's reflected in the established business practices of most companies. They hire the cheapest "labor" they can find, deprive them of the tools and work environment needed to do their job competently, ignore any warnings about safety, security, correctness, or other technical issues in deference to business goals, etc.
And it'll be the worst of the worst who gets a fully autonomous car on the market and careening down your street first. And when it hits your car or (hopefully not) your kid - the company will skate away absolutely unscathed.
Criminal negligence is, indeed, rare in the courts. However, in civil cases there's still regular old negligence, gross negligence, and in some states, "active negligence," not to mention all the other causes of action which can put punitive damages on the table.
Theres one more option beside malice and stupidity: ignorance.
It might count as stupidity, though, to have no clues about things and be so ignorant about it that you are not willing to do anything or listen to anybody that could change this cluelessness... ;)
TL;DR: DJI rolled out a bug bounty program from $100-$30,000 but it was vague and poorly executed. Author found AWS keys and subsequent data, to which DJI responded with onerous legal terms and threats. After many weeks of back and forth, author walked away.
> DJI responded with onerous legal terms and threats.
And they sent him threats after they offered him the highest ($30,000) bounty, waited a month doing nothing, and then finally sent him a terribly restrictive non-disclosure agreement which he'd have to sign to actually get the cash.
Sounds like DJI kicked off a bounty program and didn't have their ducks in a row on setting bounty scope, legal terms, or process.
Researcher found PII leaks and keys to some pretty sensitive stuff, and DJI didn't know how to respond.
After DJI dragging it out for weeks, giving overly broad terms, and sending a poorly crafted CFAA threat (which in charitably interpreted was just to ensure he deleted any sensitive material), researcher walked away after being frustrated by the time sink.
Honestly, it looks like DJI was hoping for a 'soft launch', getting a few tame bugs and negotiating with researchers to hammer out details. (Or framed more cynically, using the researchers as unpaid advisors on how to set up a bounty program.)
Instead, they got a stack of catastrophic, maximum-severity issues right away and panicked.
Being stingy with big bounty money seems so shortsighted - if you are going to have a B.B. program and encourage people to suss out exploits, why would you then want to piss those people off? It’s not like there isn’t a completely separate market out there for the same exploits run by people you’d collectively refer to as “the enemy”.
The problem with such negotiation is that at the moment someone even describes the bug they have found, they eliminate the possibility of selling to anything other than the BB program. If you describe your bug to them, but then the BB negotiations go south and you walk away, you are a suspect in any future exploit of that bug. So the BB program knows that they have the researcher on the hook from the moment he makes contact.
1. Research and find vulnerabilities
2. Notify company in good faith
3. Parry legal threats
4. Embargo for a reasonable amount of time
5. Parry legal threats
6. Publish report
7. Parry legal threats
8. Get academic prestige
9. Parry legal threats
10. Blog on emerging exploits
11. Parry legal threats
Another option:
1. Research and find vulnerabilities
2. Sell on black market
3. Get paid, possibly several times
4. Die in suspicious car crash
1. Research and find vulnerabilities
2. Research company
3. Notify company in good faith depending on result.
If they have recently misbehaved towards people disclosing vulnerabilities, publish publicly immediately.
If they respond with any sort of legal threats, stop communicating with them and publish publicly immediately.
If I expect the company to be reasonable (e.g. has a bug bounty, is known to respond reasonably, or even just is a tech company that can be expected to have a clue) I contact them openly, otherwise, I consider either contacting them anonymously first, or (especially if I don't like them and don't want to deal with them) publish.
Respectfully, I'm going to default back to what I said.
The "notify in good faith" really just fosters a culture of "scratch my back, i'll scratch yours". Frankly, as a white-hat researcher you can be as much of a bad actor as any company and this is a sort of moral hazard that fosters a culture of unfairness and insecurity. If you really care about the overall security of the industry or consumers, you will publish immediately and leave the moral hazard of "perks/special treatment" off the table.
The companies that are reasonable in the way that you describe would not be materially harmed by such a disclosure and do not (okay, rarely) have the most egregious kinds of bugs. It raises the bar for everyone to do this.
Basically, it's not about you; don't make it about you; just publish. Every day that you do not publish, some client could be catastrophically affected by the bug and the company could be seriously dragging-ass on the fix. You have no visibility into this.
(Side note: I'm a developer and I build all of my infrastructure. Getting caught with my pants down by a vulnerability disclosure would totally fucking suck and be 100% my fault. It's my neck on the line. So yes, it will suck, and I might hate you a little, but then I'll realize it's my screw-up and that I need better processes to proactively solve these.)
The situations could be avoided if the "security researchers" would ask permission first, or simply deal with companies who have an established (and validated) bounty program.
Made the original comment because my friends who do this professionally for a fortune 500 company share the same tales of woe--that would probably end just as badly if they weren't operating under the safety of a corporate megabucks legal department.
The situations could be avoided if the companies hired developers who have heard the word 'security' before, or got training for their engineers to learn secure coding practices and their sysadmins to learn secure server setup. If they're not going to make the effort to do those simple things, why should anyone else consider tip-toeing around the scumbags slapping together anything they can get to marginally work and then endangering the public with it?
DJI started a bug bounty program, but mismanagement and dick moves ended up costing a guy a deserved 30k bounty.
longer tldr:
The problems found revealed they were in fact in desperate need of the help.
The program was managed poorly. DJI had a chance to correct the situation, but instead acted in bad faith to researchers who had went out of their way to help them, even threatening leagal action for no good reason.
The guy legit earned the 30k bounty, but effectively had no way to get the money due to legal threats and/or requirements to sign draconian restrictive legal documents.
Important subject, interesting story, takes forever to get to the point. Reads like this was partially due to the guy having no sleep and being worn down after a long period of emotional exasperation.
What depresses me about it is that many people, probably even many of the authors colleagues and readers here, do not feel that he has any right to that money. There are suggestions that even the author himself does not feel he has earned it. This is a pretty big philosophical problem, but it's very worrisome. At least in certain cultures, people are willing to take significant personal losses just to prevent someone else from "getting a windfall". There is even behavioral research about this tendency, the 'Ultimatum Game' research is pretty much centered around it.
I agree with you entirely, he earned the $30k bounty and DJI is both morally and, one would hope, legally culpable in trying to defraud him of $30k. While it sounds like a great deal of money for "not much work" (we are, I suppose, to take the extensive education and experience utilized as something that appears from the ether and one is simply anointed with, unearned), it is really a paltry sum when considered reasonably. How much money has DJI saved by not hiring staff capable of building the system correctly in the first place? How much money would DJI make from retaining the lucrative clients that will hopefully drop them like a hot potato when they learn of this bungled exposure of just how little they care about security? (I am guessing that those .gov clients and any similar will be hearing from their engineers and getting this document passed up the chain soon. And I don't know about DJI specifically but at least in the US most companies rely upon the government as their largest customer.) $30k for the work performed, and the consequences if handled only as honestly as a child on a playground who makes a promise and feels bound by it, is a stupendously tiny amount of money. And yet, DJI is so shortsighted, mean, and cheap that they're not even capable of honoring the agreements they freely made of their own accord.
Do you think anyone at DJI simply thought that their systems were secure and no significant bugs would be found? If so... what are those people thinking now?
yeah, with a bounty program, i think you’re allowed to fix all the easy ones you want, before announcing the program right?
does logic not force us to admit one of these must be true: Either here are no easy ones, or a company didn’t invest in fixing the easy ones before announcing the program?
if we’re forced to admit that, how can this guy be criticized?
I remember reading recently that the U.S. military had to ground all DJI drones they had in inventory because of suspected hooks in the software and I was thinking it was just malicious backdoors, interesting to see there's a bit more of Hanlon's razor in there too.
It almost seems like you might be better off taking the bugs found to the US military or intelligence agencies to see if you can get bounties from them instead.
Of course, that puts you in a position of interacting with the US government on security research.
There was an interesting article in Wired a few weeks ago about how the Pentagon / DoD is actually taking bug bounties very seriously and it seems to be working for them.
I'm actually fairly sure this happens; there's a big underground market for selling exploits, and I'm sure the NSA and other international intelligence agencies are some of the major buyers.
The bug bounty programs are basically a counteroffer to those.
Aboveground, even - I've seen claims that brokers will allow seller's discretion on where exploits can go. (E.g. "NATO only".) Northrup-Grumman, Raytheon, and Lockheed are commonly listed as zero day buyers. Presumably those channels either get passed on to American intelligence, or used defensively to make a "safer than the competition" claim.
It's certainly fairly overt, though I don't know the legal standing. Whether or not a researcher broke CFAA in finding a bug, is describing it to a third party a criminal act?
CFAA would apply only if the bug involved unauthorized access to the company’s servers (The violation being the researcher accessing them to validate).
The zero days you refer to would instead be vulnerabilities in software which a researcher would test against local software / hardware they own, not only for legal reasons, but also because actively probing a web server can set off alarm bells (Making access less useful after validation).
I can't recall the name of the site off the top of my head, but I know there is at least one site which ostensibly functions as a marketplace for selling security vulnerabilities to government and other "trustworthy" (ow my sides...) organizations. My understanding is that that site actually pays some very competitive prices against the black market. And heck, even if they are not USING the vulnerabilities and simply turning around and disclosing them to the manufacturers while driving up the prices cybercriminals have to pay... that seems like a grand idea to me personally.
Vupen launched Zerodium fairly recently, which is a bug bounty program to do exactly this. Though I think they sell to other government agencies besides just the U.S.
Fck, man. I was fired from DJI because of all that story. I was nowhere connected to things you found and privacy disclosure. I just had a small repository with and unreal engine plugin to use open source exif library inside our internal project.
But on the other hand, really thank you, working in DJI is not so good anyway.
> I was nowhere connected to things you found and privacy disclosure. I just had a small repository with and unreal engine plugin to use open source exif library inside our internal project.
I can totally see this happening. In China truth doesnt exist, there is only illusion of truth propped by guanxi/mianzi.
Carpet bombing all DJI github repos and openly accessible employee projects is something I would expect from Chinese company trying to pretend whole thing never happened.
From DJI's perspective I think they don't have experience with bug bounties so the legal team drafted something not expecting a fight, especially when they offered 30k. Seeing the back-and-forth on legal terms queued them that maybe the author did have malicious intent to harm the reputation of DJI (whether that's a good argument or not is out of scope.) and because of that the legal team turtled. DJI wanted the author to sign the papers, take the money and shut up. The author wanted to sign the papers, take the money, and advertise the hack.
> maybe the author did have malicious intent to harm the reputation of DJI
In the context of a bug-bounty program, it's not malicious to "harm the reputation" of the entity in question, it's malicious to attempt to profit off the hack itself.
> The author wanted to sign the papers, take the money, and advertise the hack.
Of course! It's part of their portfolio.
It's common for security researchers to share details of a hack once it's been fixed. It's not "malicious" to tell the truth.
Well typically that's the point of an embargo, not a perpetual gag order. Though I can see how "we left an AWS directory open" might be embarrassing to have announced to the public, regardless of whether they had time to fix it.
My guess, and it is absolutely only a guess, is that the legal team drawing up the agreement were not versed in writing up agreements like this. As the author said, at one point they included language so vague that it would make participation by anyone in the program at all forbidden. I do not believe that they actually had that intent.
My guess is that once they got this report and the others they received after opening the bounty program, they shit their pants a little. They did not expect 'oh hey, literally every single segment of your system could be taken over by a malicious party right now and you are probably hemorrhaging data that will lose you clients, destroy your reputation, and maybe even get your company into very severe legal trouble.' They realized, also, that this program was not going to be a matter of an obscure $100 or $1000 bug being reported every 6 months or so. They realized that their entire empire was built on sand. Particularly unstable sand at that, prone to explode at any moment. So for a month they had meetings where they kept out absolutely any person with any technical knowledge whatsoever - those people are just the ones that build everything that enables the company to exist or conduct business, they don't know anything that matters. And in those meetings, they formed a plan:
Step 1: Get out of paying the initial bounties.
Step 2: Fix the initial bugs reported, crediting as they have previously their internal team and 'external researchers', giving no hint of who or which things were found by internal folks as opposed to external researchers, etc.
Step 3: Significantly modify the bug bounty program terms to either radically reduce the amount of money awarded or else change who gets to decide 'severity' so that the maximum bounty is never awarded again.
I imagine they see this as several problems. Losing face and looking exactly as competent as they are is a big one, signified by how they have handled prior bug reports and fixed and also how they responded throughout this process. Losing money, although it is objectively and by all reason a microscopic sum of money to "lose" (I can not imagine for a heartbeat that they see this as the ridiculously lucrative investment it actually is), with little to no ability to predict the eventual overall magnitude of the loss. Are they going to have $30k findings every year? Month? Week? DAY? They likely see their infrastructure as swiss cheese and their technical team as incompetent right now. Since they are 'business people' and do not sully themselves with technical knowledge, their imagination gets to run wild. The idea of one bad person destroying their company in an afternoon is something hypothetical and far away, so it doesn't even enter their mind. They see only the truck that is bearing down upon them right now and bleeding $3 million on this program in the first year alone probably doesn't seem out of the realm of possibility. They also desperately need no one to ever find out about this. Those .gov customers? They get wind of this and they are smoke. They will never be seen again and are probably a large part of the future roadmap of the company. This is an extinction-level event.
I hope my guess is very off-base and totally wrong. If it's not... I'd be surprised if its more than 30 days before we are hearing about the author being brought up on as many charges as their legal team can find.
Clauses that he considered limiting to his freedom of speech seemed quite reasonable to me but then I remembered he's active in the drone jailbreaking scene so they do interfere with that.
Such clauses are basically impossible to enforce in the US. It's called 'Prior Restraint' and courts look extremely poorly on it. You can forbid people from lots of things, but forbidding them from saying certain things? You can do that if you are the government yourself... and basically no one else.
How can you be unsure? I thought I explained it quite clearly. The courts look very poorly upon prior restraint of free speech. Non-disparagement clauses in employment contracts specifically are very dicey and difficult to make stick in a court of law in the US. Here is an article about it... they can end up being enforced, but it is unusual: http://chernoff.law/non-disparagement-clauses-can-really-enf...
Is there not an official standard / "best practices" document for what each party should follow with bug reporting / bounty procedures? Something that anyone in a company that's starting a bug bounty program can point their legal department to, and say: "here's what amazon and google and X and Y and Z follow, so we should do the same"? From the security researcher perspective, there's the responsible disclosure stuff. But not much from the other side, AFAIK.
Here's another DJI story which demonstrates their incompetence.
At EAA Oshkosh 2017 (the premier event of the year for private pilots and experimental aircraft fans of every stripe), DJI had set up a large tent to show off their newest drones. I walked in and asked to see a demo. Mind you, they had an outdoor flying area adjacent to the tent that was fully enclosed with netting. There was no way a drone could have escaped.
"Can't do a demo," the DJI rep said. "We're waiting on a firmware upgrade from China. None of the drones are working."
"Um, why?" I asked.
"Because the firmware in the drones contains a database of all known aircraft control towers and every drone has GPS. When it sees the drone is within [a few] miles of a control tower, it shuts down the drone. And right now we're only about 100 feet from a control tower."
"But you're inside a netted enclosure?"
"The firmware doesn't know that. The new firmware we're waiting on includes an exception for this location."
I don't know if the upgrade ever arrived, but this episode taught me I don't want a DJI product. DJI probably lost hundreds of thousands of dollars in sales because of that boneheaded move.
It's too bad they couldn't update the firmware in time, but it sounds like they did the responsible thing and built their drones to be safe. Do we really need a drone with an easily flippable "Trust me, I know this is a no-fly zone but I have made precautions to be perfectly safe!" switch?
It prevented me from flying at lower-than-trees altitude in a public park a km or so away, perpendicularly to the approach axis, from rarely used sports airfield... Another frequent occurence is the app threatening to brick the drone if you don’t update the firmware by a given date. I get the intention, but the nanny in these expensive things is overly powerful and often wrong.
Yes. We absolutely do. I know the FAA regs for drones, and if I violate them I should expect to be arrested. I don't need some poorly-designed firmware that I cannot override pretending to be my mom.
Almost a case here for someone to start up a BBaaS (Bug Bounty as a Service)?
They could act as the 'go between' for the SaaS or manufacturer, as well as protect the privacy (and possibly identity) of the bounty hunters. The BBaaS could have tried and tested boilerplate terms and conditions for both parties, as well as handle the reward payouts and filing/validating of reports.
It's perfectly readable on a computer screen or printed paper, that's what PDF is designed for. Are you on a mobile device?
Anyway, the short of it is the unsurprising fact that when DJI was pressed to actually deliver the money, instead of offering the bug bounty they promised, they instead used their lawyers and the CFAA to try to attack and silence the author.
In many ways I believe this the value of HackerOne (they effectively administer bug bounties on behalf of other companies).
They understand what constitutes reasonable, necessary and/or expected by both the security communities AND company/legal and can work as a party to both sides with standard agreements, suggestions, etc.
It's not clear to me that OP has consulted a lawyer about this. IANAL, but the question here is not whether the servers are/were in-scope, but whether DJI agreed to pay him $30,000 and then later made it a condition that he sign a contract to get the payment. I hate to be that guy, but it seems like a letter from a lawyer threatening legal action may change this conversation completely.
Edit: Please take a look at my comment below before downvoting?
> It's not clear to me that OP has consulted a lawyer about this
"I of course still needed to have
a lawyer review the terms, even if they were DJI’s final offer. In the days following
no less than 4 lawyers told me in various ways that the agreement was not only
extremely risky, but was likely crafted in bad faith to silence anyone that signed it." Page 17
Ah, yes, missed that. My point about the agreement stands though. The email on page 11 appears to state that they owe him $30,000, if he just provides some demographic info. They then send him a contract weeks later, and use the phrase "formalizing the terms ... [of] the reward payment" in order to try to make it look like this is all part of the process. But this the start of a new negotiation.
Edit: I'm getting downvotes on my comment above, and maybe it's because I missed the part where he said he consulted a lawyer, but I have a suspicion that it's because I suggested the threat of a lawsuit. I know we live (in the US) in a overly litigious society, but my point is that the company is (perhaps through disorganization or communication problems) trying to alter the terms of an existing agreement. This is what contract and tort law is for. Sometimes the threat of getting the courts involved can cause the other side to see more clearly what is going on.
Wherein they completely reneg on paying out the $30000 as previously promised.
Leaving the researcher with a pile of security research that is ostensibly worth at least $30000 to somebody, no contractual obligations to anybody, and a possible "unclean hands" defense to any action DJI may subsequently bring against him.
If I were employed by any intelligence TLA or drone/UAV manufacturer, I'd already be at their door with warm smile and a briefcase full of cash.
Meh. The only entity this is worth USD 30k to is DJI, really. The issues found were an exposure of personal information on their servers, not s backdoor into the drone firmware or anything exciting like that, it seems. So no TLA employees with briefcases of money ;( I guess criminals looking for identity theft targets might have found it useful, too?
If you have access into their AWS, it's possible that you could either download the source yourself to find a backdoor (it was unclear if he had that access) or if none exists, upload one yourself.
TBH, that makes me think that it's even less likely that the OP hired a lawyer.
After all, no-one rushes out to hire four separate lawyers to examine a contract. And if you paid for one lawyer to fully investigate the situation, why would you then seek out three other lawyers afterwards? If you decided that the lawyer you hired was crap and their opinion worthless, you might hire another one. But their opinion was the same as the first lawyer, so by this point you'd be insane to hire any more lawyers.
So it's much more likely that he informally asked some friends and contacts. While these people may well have been lawyers, they probably were just offering a quick, rough opinion on the matter. If a lawyer was actually hired, they would spend some time fully understanding the situation, and the next step to take would then be acting on their advice, not seeking out further legal advice to muddy the waters.
So what if he asked friends/associates who are lawyers for a quick feedback, or even paid the lawyers for limited amount of time? When a lawyer gives you a quick assessment and it's "This is very risky," how likely is it a more thorough review of the contract will be more positive?
Considering DJI's position at that point was "this is a final offer" how useful would it be to shell out a considerable amount of money for a more thorough review?
"In the days following no less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it."
The whole article sounds like a mishmash of incompetence, being unprepared, and having a legal team not really interested in having a robust or even good bounty program. Basically a bounty program driven by Marketing and/or Legal to be able to say "we take bugs seriously" rather than by Engineering with an interest in actually getting problems resolved.
It's almost as if they decided to do this without remembering to tell their lawyers what a Bug Bounty program is.
Every time I read a story about a company bumbling their way through some obviously poorly conceived PR problem (see also: Logitech's recent announcement that they'll be bricking one of their products), I think to myself, "What on earth was that meeting like?" You know, the meeting where they are supposed to plan what to say, how to say it, what actions to take when, what contingency plans, etc. Those things that grown-up companies do when they interact with their customers or the public. I mean, was it really as incompetent as, "I know, let's offer a bug bounty, and then threaten legal action against people who participate! That will surely help our image!" Was there not one person around that conference room who thought to raise their hand and say, "Now hang on a minute--we might not be thinking this through..."
The road to hell is paved in good intentions. If I had to guess, a well meaning and experienced engineer or engineering leader proposed launching a legit bug bounty program. Maybe they pitched the idea to their boss, showing them hackerone or bugcrowd as an example. Everyone thought it was a good idea, but the further the concept shifted along in development and away from the original engineer, the less people understood what a bug bounty program actually is. By the time it gets through legal, and marketing, and the executive team, it turns into a downside protection effort rather than quality/security improvement effort. I have to imagine this is pretty common in large organizations that keep their departments siloed off from one another, reducing collaboration.
Do you work.... where I work?
Because that sounds like where I work.
Yeah, I work there too. The weird little rock between Venus and Mars covered in bureaucrats and other insects?
I think the GP had it: Key stakeholders were not interested in a real bug bounty. The bug bounty project was a Public Relations exercise.
Being able to say "we have a $30,000 bug bounty program and nobody has claimed it" would be extremely attractive.
I think it's more probable that they had the right intentions in the beginning, but then realized how much money these vulnerabilities might cost to fix because they had no easy way to resolve them without recalls. So rather than fix the issues and lose millions of dollars they just tried to hide the them.
Everything by DJI, even the freaking batteries, has updatable firmware. Recall need unlikely.
What you are seeing is a sort of 'tip of the iceberg' sort of phenomena. It is one of the multitude of consequences of in-person human interaction. Half-said half-understood notions, half of statements spoken being nothing more than jockeying for social status, precise language looked down upon as too severe so adapted into vague statements that people don't ask for clarification of for fear of looking stupid. Tall people and charismatic people most often getting their way. Introverts with factual points to raise demur and go unheard. Things drag on until someone with a forceful personality drive forward an idea through sheer dominance and beats aside any opposition.
And then you get a public action that looks nonsensical. Because the process that formed it was in every way NOT optimized to produce the objectively correct action. In-person interaction is a cancer on the workplace and always has been, though it was far less visible in workplaces where the majority of people were standing on an assembly line putting together the same widget every single day without thinking. In todays world, where mental work is the primary economic activity, it is unavoidable and tremendously destructive. We will look back with amazement on how long we permitted this to linger on for no reason other than the fear the management class has of being made irrelevant by the tools that coordinate and facilitate radically better coworker interaction and the fear of those with forceful personalities of being caught with their pants down when tested on their merits (not that they necessarily will fail on those merits, but personal fears like that are rarely well-founded or rational).
What exactly are you suggesting? We only communicate with email?
Get the „carismatic“ marketing and economy idiots out of businesses and build more intovert-engineer-founded companies :) Even google was great back in times when they were less economist and marketing expert driven...
Perhaps I've just gotten cynical as I aged, but I find that I'm a lot less willing to ascribe things like this to Hanlon's Razor[0] than I used to be.
[0] Variations on "Never ascribe to malice that which is adequately explained by stupidity."
Sufficiently advanced incompetence is indistinguishable from actual malice.
I'm still willing to accept that the root cause is often not actual malice, but I don't actually care if the damage is done because somebody wanted to inflict it or just ignored all warnings and forged ahead, no matter the cost. The damage done to others is the same.
Interestingly, "the law" in the U.S. generally agrees with you, insofar as it tends to put "reckless disregard" in the same category as malice.
In technical fields (notably very much not including anything involving a computer or software) there is also 'criminal negligence'. In things like construction, if the executives ignore and disempower the engineers and put business goals ahead of things like structural integrity or safety of the public, those executives go to prison. I'm not sure how much longer that will remain absent from anything computer-related but thus far companies can straight up kill people out of bold aggressive negligence of this sort and the courts just shrug their shoulders. We saw that with Toyota and their "unintended acceleration" killings. Multiple bodies, but when charged with criminal negligence, the courts basically said 'its computers, nobody knows how they work.'
It didn't matter that Toyota lied and claimed their cars computers used error correcting RAM but they cheaped out and saved a fraction of a cent on each car by using non-error-correcting RAM. It didn't matter that their developers didn't even have access to a bug tracker. It didn't matter that they didn't have access to static analysis tools (which when used on the code afterward found the problem instantly). It didn't matter that the automotive industry has 90+ practices recognized as "required" or "recommended" and Toyotas code followed only 4 of them.
There is literally no degree of negligence which is great enough to cause a court (in the US anyway) to judge a corporation as having been criminally negligent if a computer or software is involved. And it's reflected in the established business practices of most companies. They hire the cheapest "labor" they can find, deprive them of the tools and work environment needed to do their job competently, ignore any warnings about safety, security, correctness, or other technical issues in deference to business goals, etc.
And it'll be the worst of the worst who gets a fully autonomous car on the market and careening down your street first. And when it hits your car or (hopefully not) your kid - the company will skate away absolutely unscathed.
Criminal negligence is, indeed, rare in the courts. However, in civil cases there's still regular old negligence, gross negligence, and in some states, "active negligence," not to mention all the other causes of action which can put punitive damages on the table.
Well, this computer and internet stuff, it’s all new, and it’s so complex for lawmakers and a judge or jury to understand...
(Thanks for the hint, seems about right to not travel to the US anymore if border control and software companies can fuck you up that much)
That's 'Grey's Law'
There's also a variation on the idea I heard around here recently[0] called the Godfather's Switchblade:
"Make it look like an accident"
[0]: https://news.ycombinator.com/item?id=15674367
Never attribute to stupidity that which is adequately explained by laziness.
Theres one more option beside malice and stupidity: ignorance.
It might count as stupidity, though, to have no clues about things and be so ignorant about it that you are not willing to do anything or listen to anybody that could change this cluelessness... ;)
I’ve worked at several software companies where the lawyers thought it was their company, not ours. All you can do is move on and warn others.
TL;DR: DJI rolled out a bug bounty program from $100-$30,000 but it was vague and poorly executed. Author found AWS keys and subsequent data, to which DJI responded with onerous legal terms and threats. After many weeks of back and forth, author walked away.
> DJI responded with onerous legal terms and threats.
And they sent him threats after they offered him the highest ($30,000) bounty, waited a month doing nothing, and then finally sent him a terribly restrictive non-disclosure agreement which he'd have to sign to actually get the cash.
DJI? The drone maker?
Yes: https://www.dji.com/newsroom/news/dji-to-offer-bug-bounty-re...
Yes
thanks, I barely made it through page 2 and lost interest very fast after that. Got a bit too "cute" with formatting and style.
Sounds like DJI kicked off a bounty program and didn't have their ducks in a row on setting bounty scope, legal terms, or process. Researcher found PII leaks and keys to some pretty sensitive stuff, and DJI didn't know how to respond.
After DJI dragging it out for weeks, giving overly broad terms, and sending a poorly crafted CFAA threat (which in charitably interpreted was just to ensure he deleted any sensitive material), researcher walked away after being frustrated by the time sink.
Honestly, it looks like DJI was hoping for a 'soft launch', getting a few tame bugs and negotiating with researchers to hammer out details. (Or framed more cynically, using the researchers as unpaid advisors on how to set up a bounty program.)
Instead, they got a stack of catastrophic, maximum-severity issues right away and panicked.
Being stingy with big bounty money seems so shortsighted - if you are going to have a B.B. program and encourage people to suss out exploits, why would you then want to piss those people off? It’s not like there isn’t a completely separate market out there for the same exploits run by people you’d collectively refer to as “the enemy”.
The problem with such negotiation is that at the moment someone even describes the bug they have found, they eliminate the possibility of selling to anything other than the BB program. If you describe your bug to them, but then the BB negotiations go south and you walk away, you are a suspect in any future exploit of that bug. So the BB program knows that they have the researcher on the hook from the moment he makes contact.
What about publicly announcing it so anyone can make the exploit?
Or announce it publicly and then hack them yourself.
Also known as "commit multiple felonies."
I'd call it plausible deniability.
I'd also delete that comment, as it might harm any future legal defense.
On the web there is no delete!
fun thread
Freelance pentesting in a nutshell:
Alternately:
Another option:Which is why my favorite is:
My current favorite:
If they have recently misbehaved towards people disclosing vulnerabilities, publish publicly immediately.If they respond with any sort of legal threats, stop communicating with them and publish publicly immediately.
If I expect the company to be reasonable (e.g. has a bug bounty, is known to respond reasonably, or even just is a tech company that can be expected to have a clue) I contact them openly, otherwise, I consider either contacting them anonymously first, or (especially if I don't like them and don't want to deal with them) publish.
Respectfully, I'm going to default back to what I said.
The "notify in good faith" really just fosters a culture of "scratch my back, i'll scratch yours". Frankly, as a white-hat researcher you can be as much of a bad actor as any company and this is a sort of moral hazard that fosters a culture of unfairness and insecurity. If you really care about the overall security of the industry or consumers, you will publish immediately and leave the moral hazard of "perks/special treatment" off the table.
The companies that are reasonable in the way that you describe would not be materially harmed by such a disclosure and do not (okay, rarely) have the most egregious kinds of bugs. It raises the bar for everyone to do this.
Basically, it's not about you; don't make it about you; just publish. Every day that you do not publish, some client could be catastrophically affected by the bug and the company could be seriously dragging-ass on the fix. You have no visibility into this.
(Side note: I'm a developer and I build all of my infrastructure. Getting caught with my pants down by a vulnerability disclosure would totally fucking suck and be 100% my fault. It's my neck on the line. So yes, it will suck, and I might hate you a little, but then I'll realize it's my screw-up and that I need better processes to proactively solve these.)
The situations could be avoided if the "security researchers" would ask permission first, or simply deal with companies who have an established (and validated) bounty program.
Made the original comment because my friends who do this professionally for a fortune 500 company share the same tales of woe--that would probably end just as badly if they weren't operating under the safety of a corporate megabucks legal department.
The situations could be avoided if the companies hired developers who have heard the word 'security' before, or got training for their engineers to learn secure coding practices and their sysadmins to learn secure server setup. If they're not going to make the effort to do those simple things, why should anyone else consider tip-toeing around the scumbags slapping together anything they can get to marginally work and then endangering the public with it?
tldr:
DJI started a bug bounty program, but mismanagement and dick moves ended up costing a guy a deserved 30k bounty.
longer tldr:
The problems found revealed they were in fact in desperate need of the help.
The program was managed poorly. DJI had a chance to correct the situation, but instead acted in bad faith to researchers who had went out of their way to help them, even threatening leagal action for no good reason.
The guy legit earned the 30k bounty, but effectively had no way to get the money due to legal threats and/or requirements to sign draconian restrictive legal documents.
Important subject, interesting story, takes forever to get to the point. Reads like this was partially due to the guy having no sleep and being worn down after a long period of emotional exasperation.
What depresses me about it is that many people, probably even many of the authors colleagues and readers here, do not feel that he has any right to that money. There are suggestions that even the author himself does not feel he has earned it. This is a pretty big philosophical problem, but it's very worrisome. At least in certain cultures, people are willing to take significant personal losses just to prevent someone else from "getting a windfall". There is even behavioral research about this tendency, the 'Ultimatum Game' research is pretty much centered around it.
I agree with you entirely, he earned the $30k bounty and DJI is both morally and, one would hope, legally culpable in trying to defraud him of $30k. While it sounds like a great deal of money for "not much work" (we are, I suppose, to take the extensive education and experience utilized as something that appears from the ether and one is simply anointed with, unearned), it is really a paltry sum when considered reasonably. How much money has DJI saved by not hiring staff capable of building the system correctly in the first place? How much money would DJI make from retaining the lucrative clients that will hopefully drop them like a hot potato when they learn of this bungled exposure of just how little they care about security? (I am guessing that those .gov clients and any similar will be hearing from their engineers and getting this document passed up the chain soon. And I don't know about DJI specifically but at least in the US most companies rely upon the government as their largest customer.) $30k for the work performed, and the consequences if handled only as honestly as a child on a playground who makes a promise and feels bound by it, is a stupendously tiny amount of money. And yet, DJI is so shortsighted, mean, and cheap that they're not even capable of honoring the agreements they freely made of their own accord.
Do you think anyone at DJI simply thought that their systems were secure and no significant bugs would be found? If so... what are those people thinking now?
yeah, with a bounty program, i think you’re allowed to fix all the easy ones you want, before announcing the program right?
does logic not force us to admit one of these must be true: Either here are no easy ones, or a company didn’t invest in fixing the easy ones before announcing the program?
if we’re forced to admit that, how can this guy be criticized?
I remember reading recently that the U.S. military had to ground all DJI drones they had in inventory because of suspected hooks in the software and I was thinking it was just malicious backdoors, interesting to see there's a bit more of Hanlon's razor in there too.
It almost seems like you might be better off taking the bugs found to the US military or intelligence agencies to see if you can get bounties from them instead.
Of course, that puts you in a position of interacting with the US government on security research.
There was an interesting article in Wired a few weeks ago about how the Pentagon / DoD is actually taking bug bounties very seriously and it seems to be working for them.
https://www.wired.com/story/hack-the-pentagon-bug-bounty-res...
I'm actually fairly sure this happens; there's a big underground market for selling exploits, and I'm sure the NSA and other international intelligence agencies are some of the major buyers.
The bug bounty programs are basically a counteroffer to those.
Aboveground, even - I've seen claims that brokers will allow seller's discretion on where exploits can go. (E.g. "NATO only".) Northrup-Grumman, Raytheon, and Lockheed are commonly listed as zero day buyers. Presumably those channels either get passed on to American intelligence, or used defensively to make a "safer than the competition" claim.
It's certainly fairly overt, though I don't know the legal standing. Whether or not a researcher broke CFAA in finding a bug, is describing it to a third party a criminal act?
CFAA would apply only if the bug involved unauthorized access to the company’s servers (The violation being the researcher accessing them to validate).
The zero days you refer to would instead be vulnerabilities in software which a researcher would test against local software / hardware they own, not only for legal reasons, but also because actively probing a web server can set off alarm bells (Making access less useful after validation).
I can't recall the name of the site off the top of my head, but I know there is at least one site which ostensibly functions as a marketplace for selling security vulnerabilities to government and other "trustworthy" (ow my sides...) organizations. My understanding is that that site actually pays some very competitive prices against the black market. And heck, even if they are not USING the vulnerabilities and simply turning around and disclosing them to the manufacturers while driving up the prices cybercriminals have to pay... that seems like a grand idea to me personally.
Vupen launched Zerodium fairly recently, which is a bug bounty program to do exactly this. Though I think they sell to other government agencies besides just the U.S.
Largest exploit type goes for up to $1.5MM: https://zerodium.com/program.html
Found a bug -- they override the browser's scrollbar.
wow. I'm surprised that I didn't hear about this before.
Only doing that if I go back to the beltway and go to work for at or as a contractor for a TLA.
Fck, man. I was fired from DJI because of all that story. I was nowhere connected to things you found and privacy disclosure. I just had a small repository with and unreal engine plugin to use open source exif library inside our internal project.
But on the other hand, really thank you, working in DJI is not so good anyway.
> I was nowhere connected to things you found and privacy disclosure. I just had a small repository with and unreal engine plugin to use open source exif library inside our internal project.
How were you fired because of that story?
I can totally see this happening. In China truth doesnt exist, there is only illusion of truth propped by guanxi/mianzi.
Carpet bombing all DJI github repos and openly accessible employee projects is something I would expect from Chinese company trying to pretend whole thing never happened.
Ah... that sucks
Sounds like they got the report for free. Maybe the incompetence was just a way of getting out of paying the bounty.
I would hope they're not dumb enough to think that's a good idea. That trick only works once.
We wish...it 'only works once' if the linked article prevents anyone from submitting bugs again.
From DJI's perspective I think they don't have experience with bug bounties so the legal team drafted something not expecting a fight, especially when they offered 30k. Seeing the back-and-forth on legal terms queued them that maybe the author did have malicious intent to harm the reputation of DJI (whether that's a good argument or not is out of scope.) and because of that the legal team turtled. DJI wanted the author to sign the papers, take the money and shut up. The author wanted to sign the papers, take the money, and advertise the hack.
> maybe the author did have malicious intent to harm the reputation of DJI
In the context of a bug-bounty program, it's not malicious to "harm the reputation" of the entity in question, it's malicious to attempt to profit off the hack itself.
> The author wanted to sign the papers, take the money, and advertise the hack.
Of course! It's part of their portfolio.
It's common for security researchers to share details of a hack once it's been fixed. It's not "malicious" to tell the truth.
Well typically that's the point of an embargo, not a perpetual gag order. Though I can see how "we left an AWS directory open" might be embarrassing to have announced to the public, regardless of whether they had time to fix it.
My guess, and it is absolutely only a guess, is that the legal team drawing up the agreement were not versed in writing up agreements like this. As the author said, at one point they included language so vague that it would make participation by anyone in the program at all forbidden. I do not believe that they actually had that intent.
My guess is that once they got this report and the others they received after opening the bounty program, they shit their pants a little. They did not expect 'oh hey, literally every single segment of your system could be taken over by a malicious party right now and you are probably hemorrhaging data that will lose you clients, destroy your reputation, and maybe even get your company into very severe legal trouble.' They realized, also, that this program was not going to be a matter of an obscure $100 or $1000 bug being reported every 6 months or so. They realized that their entire empire was built on sand. Particularly unstable sand at that, prone to explode at any moment. So for a month they had meetings where they kept out absolutely any person with any technical knowledge whatsoever - those people are just the ones that build everything that enables the company to exist or conduct business, they don't know anything that matters. And in those meetings, they formed a plan:
Step 1: Get out of paying the initial bounties. Step 2: Fix the initial bugs reported, crediting as they have previously their internal team and 'external researchers', giving no hint of who or which things were found by internal folks as opposed to external researchers, etc. Step 3: Significantly modify the bug bounty program terms to either radically reduce the amount of money awarded or else change who gets to decide 'severity' so that the maximum bounty is never awarded again.
I imagine they see this as several problems. Losing face and looking exactly as competent as they are is a big one, signified by how they have handled prior bug reports and fixed and also how they responded throughout this process. Losing money, although it is objectively and by all reason a microscopic sum of money to "lose" (I can not imagine for a heartbeat that they see this as the ridiculously lucrative investment it actually is), with little to no ability to predict the eventual overall magnitude of the loss. Are they going to have $30k findings every year? Month? Week? DAY? They likely see their infrastructure as swiss cheese and their technical team as incompetent right now. Since they are 'business people' and do not sully themselves with technical knowledge, their imagination gets to run wild. The idea of one bad person destroying their company in an afternoon is something hypothetical and far away, so it doesn't even enter their mind. They see only the truck that is bearing down upon them right now and bleeding $3 million on this program in the first year alone probably doesn't seem out of the realm of possibility. They also desperately need no one to ever find out about this. Those .gov customers? They get wind of this and they are smoke. They will never be seen again and are probably a large part of the future roadmap of the company. This is an extinction-level event.
I hope my guess is very off-base and totally wrong. If it's not... I'd be surprised if its more than 30 days before we are hearing about the author being brought up on as many charges as their legal team can find.
Clauses that he considered limiting to his freedom of speech seemed quite reasonable to me but then I remembered he's active in the drone jailbreaking scene so they do interfere with that.
Such clauses are basically impossible to enforce in the US. It's called 'Prior Restraint' and courts look extremely poorly on it. You can forbid people from lots of things, but forbidding them from saying certain things? You can do that if you are the government yourself... and basically no one else.
The government explicitly can't restrict freedom of speech in the US. It is the first amendment to the Constitution.
I'm not sure why you seem to think that e.g. non-disparagement clauses are unenforceable in the US.
How can you be unsure? I thought I explained it quite clearly. The courts look very poorly upon prior restraint of free speech. Non-disparagement clauses in employment contracts specifically are very dicey and difficult to make stick in a court of law in the US. Here is an article about it... they can end up being enforced, but it is unusual: http://chernoff.law/non-disparagement-clauses-can-really-enf...
I think this is the value in using platforms like HackerOne vs trusting a random half-backed bug bounty program someone made as crisis management.
Is there not an official standard / "best practices" document for what each party should follow with bug reporting / bounty procedures? Something that anyone in a company that's starting a bug bounty program can point their legal department to, and say: "here's what amazon and google and X and Y and Z follow, so we should do the same"? From the security researcher perspective, there's the responsible disclosure stuff. But not much from the other side, AFAIK.
Here's another DJI story which demonstrates their incompetence. At EAA Oshkosh 2017 (the premier event of the year for private pilots and experimental aircraft fans of every stripe), DJI had set up a large tent to show off their newest drones. I walked in and asked to see a demo. Mind you, they had an outdoor flying area adjacent to the tent that was fully enclosed with netting. There was no way a drone could have escaped.
"Can't do a demo," the DJI rep said. "We're waiting on a firmware upgrade from China. None of the drones are working."
"Um, why?" I asked.
"Because the firmware in the drones contains a database of all known aircraft control towers and every drone has GPS. When it sees the drone is within [a few] miles of a control tower, it shuts down the drone. And right now we're only about 100 feet from a control tower."
"But you're inside a netted enclosure?"
"The firmware doesn't know that. The new firmware we're waiting on includes an exception for this location."
I don't know if the upgrade ever arrived, but this episode taught me I don't want a DJI product. DJI probably lost hundreds of thousands of dollars in sales because of that boneheaded move.
It's too bad they couldn't update the firmware in time, but it sounds like they did the responsible thing and built their drones to be safe. Do we really need a drone with an easily flippable "Trust me, I know this is a no-fly zone but I have made precautions to be perfectly safe!" switch?
It prevented me from flying at lower-than-trees altitude in a public park a km or so away, perpendicularly to the approach axis, from rarely used sports airfield... Another frequent occurence is the app threatening to brick the drone if you don’t update the firmware by a given date. I get the intention, but the nanny in these expensive things is overly powerful and often wrong.
Yes. We absolutely do. I know the FAA regs for drones, and if I violate them I should expect to be arrested. I don't need some poorly-designed firmware that I cannot override pretending to be my mom.
Seems pretty reasonable.
Almost a case here for someone to start up a BBaaS (Bug Bounty as a Service)?
They could act as the 'go between' for the SaaS or manufacturer, as well as protect the privacy (and possibly identity) of the bounty hunters. The BBaaS could have tried and tested boilerplate terms and conditions for both parties, as well as handle the reward payouts and filing/validating of reports.
Yes, someone already built that: hackerone.com (I worked there)
Triage people there are behaving like bots, lately.
Can you elaborate? (Considering them over a competitor)
Is this 18-pages-long PDF worth reading at such small font size at all? Honest question.
It's perfectly readable on a computer screen or printed paper, that's what PDF is designed for. Are you on a mobile device?
Anyway, the short of it is the unsurprising fact that when DJI was pressed to actually deliver the money, instead of offering the bug bounty they promised, they instead used their lawyers and the CFAA to try to attack and silence the author.
In addition to the small font, you've got a bunch of mail captures, which usually has an even smaller font.
Myself, I'd say if you are not much interested in bugs bounty, it's not worth reading, it's just mostly drama between the writer and DJI.
I think so. It took the headline of "who would walk away from 30k??" to "yeah that makes sense".
I read everything and I think it is.
It's at least 12pt.
I didn't think so, but I didn't read the whole thing. Could have been formatted better and written more clearly and succinctly.
Is the a place for a third-party bug reporting platform that can insulate security researchers from the companies seeking the disclosures?
EFF?
IIRC Google had a program where they offered bounties for software packages they don't own. I guess technically it's a third party?
CERTs, or reputable security news sites.
In many ways I believe this the value of HackerOne (they effectively administer bug bounties on behalf of other companies).
They understand what constitutes reasonable, necessary and/or expected by both the security communities AND company/legal and can work as a party to both sides with standard agreements, suggestions, etc.
Because you don't have financial security concerns?
Probably, but contract issues could lead to a hefty legal bill as well.
It's not clear to me that OP has consulted a lawyer about this. IANAL, but the question here is not whether the servers are/were in-scope, but whether DJI agreed to pay him $30,000 and then later made it a condition that he sign a contract to get the payment. I hate to be that guy, but it seems like a letter from a lawyer threatening legal action may change this conversation completely.
Edit: Please take a look at my comment below before downvoting?
> It's not clear to me that OP has consulted a lawyer about this
"I of course still needed to have a lawyer review the terms, even if they were DJI’s final offer. In the days following no less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it." Page 17
Ah, yes, missed that. My point about the agreement stands though. The email on page 11 appears to state that they owe him $30,000, if he just provides some demographic info. They then send him a contract weeks later, and use the phrase "formalizing the terms ... [of] the reward payment" in order to try to make it look like this is all part of the process. But this the start of a new negotiation.
Edit: I'm getting downvotes on my comment above, and maybe it's because I missed the part where he said he consulted a lawyer, but I have a suspicion that it's because I suggested the threat of a lawsuit. I know we live (in the US) in a overly litigious society, but my point is that the company is (perhaps through disorganization or communication problems) trying to alter the terms of an existing agreement. This is what contract and tort law is for. Sometimes the threat of getting the courts involved can cause the other side to see more clearly what is going on.
Wherein they completely reneg on paying out the $30000 as previously promised.
Leaving the researcher with a pile of security research that is ostensibly worth at least $30000 to somebody, no contractual obligations to anybody, and a possible "unclean hands" defense to any action DJI may subsequently bring against him.
If I were employed by any intelligence TLA or drone/UAV manufacturer, I'd already be at their door with warm smile and a briefcase full of cash.
Meh. The only entity this is worth USD 30k to is DJI, really. The issues found were an exposure of personal information on their servers, not s backdoor into the drone firmware or anything exciting like that, it seems. So no TLA employees with briefcases of money ;( I guess criminals looking for identity theft targets might have found it useful, too?
If you have access into their AWS, it's possible that you could either download the source yourself to find a backdoor (it was unclear if he had that access) or if none exists, upload one yourself.
TBH, that makes me think that it's even less likely that the OP hired a lawyer.
After all, no-one rushes out to hire four separate lawyers to examine a contract. And if you paid for one lawyer to fully investigate the situation, why would you then seek out three other lawyers afterwards? If you decided that the lawyer you hired was crap and their opinion worthless, you might hire another one. But their opinion was the same as the first lawyer, so by this point you'd be insane to hire any more lawyers.
So it's much more likely that he informally asked some friends and contacts. While these people may well have been lawyers, they probably were just offering a quick, rough opinion on the matter. If a lawyer was actually hired, they would spend some time fully understanding the situation, and the next step to take would then be acting on their advice, not seeking out further legal advice to muddy the waters.
So what if he asked friends/associates who are lawyers for a quick feedback, or even paid the lawyers for limited amount of time? When a lawyer gives you a quick assessment and it's "This is very risky," how likely is it a more thorough review of the contract will be more positive?
Considering DJI's position at that point was "this is a final offer" how useful would it be to shell out a considerable amount of money for a more thorough review?