DJI’s bug bounty program stumbles after researcher finds its SSL private key on GitHub
Security Researcher Fevin Finisterre stumbled across a serious flaw in DJI’s web security: the company had accidentally published its private key on GitHub. And while the rest of the story about Finisterre and DJI is interesting, and we will get to it in a moment, this is the point in time where, as an SSL blog, we need to state the obvious:
Don’t publish your SSL certificate’s private key on GitHub.
In fact, this is a good opportunity to talk about good security hygiene when it comes to key storage. It’s called a Private Key for a reason, it needs to be guarded and kept private. We say it all the time, but if your private key is compromised your entire SSL certificate is compromised. Hackers and Cybercriminals can literally wreak havoc with your private key.
So be careful where you store it.
Extended Validation Code Signing certificates actually come with their private keys stored on a physical hardware token. But you can store any private key on a physical hardware token—it doesn’t have to just be EV keys.
And frankly, we recommend doing that. Don’t store your private key on your network where someone unauthorized can access it. Store your private key in a physical hardware token that can be physically accounted for at all times. This adds a beneficial additional layer of security. Now someone actually has to physically obtain the key before they can use it.
We recommend storing your private keys on physical hardware tokens.
Now, let’s move on to DJI and Kevin Finisterre
Here’s how not to run a bounty program
Bounty programs are becoming more and more common. If you don’t already know, basically a company partners with white hat hackers (good hackers) to try to find vulnerabilities in their networks and systems before a malicious actor can find them.
DJI, a Chinese technology company, recently kicked off its own bounty program. Finisterre and his team contacted DJI shortly after to inquire about whether the private key they found was within the scope of its bounty program. DJI responded that it was and the two sides began negotiating around the $30,000 bounty.
Where things fell apart is that DJI didn’t want the bounty publicly disclosed. That’s a problem for most white hat hackers because the notoriety that comes with finding these bugs is worth as much, if not more than the cash prize. It’d be like getting to meet your favorite celebrity but being forced to sign a non-disclosure agreement that prevented you from telling anyone.
That’s a non-starter.
After negotiations broke down, Finisterre went public anyway. His account has been circulating the web ever since.
DJI, for its part, has no launched a website for its bounty program where it clearly lists its terms and conditions. This is a step in the right direction, but it’s also something that probably should have been done before any of this ever happened.
Regardless, just remember: be careful where you store your private