French drone manufacturer Parrot has announced its new bug bounty program in partnership with the European crowdsourced security platform YesWeHack. The company will have access to the platform’s community of cybersecurity researchers to find any vulnerabilities in its drones, mobile applications, and web services.
Expand Expanding Close
Check Point Researchers and DJI shared information about a vulnerability that might have allowed third parties access to DJI users’ data and drone images through the DJI Forum. If the vulnerability were to be exploited, it would have allowed a third party to access to a user’s account, including information such as photos, video footage, flight paths, GPS data, and other information without the user ever realizing his account was hacked. DJI was first notified about this in March of 2018. It has since been patched.
In a public statement addressing the Bug Bounty case with Kevin Finisterre, DJI also informs us that they’ve fired the software developers, who were involved in the cyber-security breach of the DJI customer data stored on the AWS servers.
DJI does not shy away from making public statements to set the record straight or at least to provide their side of the story. They have done so in the case of the attack on DJI’s Aeroscope. DJI also responded when a drone struck an airplane in Quebec. And now after Kevin Finisterre publicly posted his reasons for walking away from the top bounty of $30k of DJI’s Bug Bounty Program, DJI releases their public statement, in which they point out the actions they have been taking to remedy the issues. One of which was the firing of the software developers who were responsible for data security.
Security researcher Kevin Finisterre recently found a security flaw that allowed him to access personal data from DJI’s customers on servers from the Chinese drone manufacturer. Finisterre used DJI’s recently launched Bug Bounty program to report his findings. This resulted in many emails being sent back and forth between the researcher and the drone company’s legal department about the scope of DJI’s Bug Bounty program and other legalities. In the end, Finisterre felt threatened and concluded he could not sign DJI’s document. He then decided to not only forgo the 30,000 top reward but also to go public with his story in an 18-page PDF titled: “Why I walked away from $30,000 of DJI bounty money.”
Late in August DJI launched their “Bug Bounty” program after hackers had been able to bypass DJI’s geo-fencing. Around the same time, the US army stopped using DJI’s products because of ‘cyber vulnerabilities’. Apparently, the program has been quite the success and DJI is now planning to make the first payouts, according to DroneLife. The combined payout is in excess of $30,000 to multiple researchers.