Helpful Tip: Don’t Publish Your Private Key on GitHub
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Helpful Tip: Don’t Publish Your Private Key on GitHub

DJI’s bug bounty program stumbles after researcher finds its SSL private key on GitHub

Security Researcher Fevin Finisterre stumbled across a serious flaw in DJI’s web security: the company had accidentally published its private key on GitHub. And while the rest of the story about Finisterre and DJI is interesting, and we will get to it in a moment, this is the point in time where, as an SSL blog, we need to state the obvious:

Don’t publish your SSL certificate’s private key on GitHub.

In fact, this is a good opportunity to talk about good security hygiene when it comes to key storage. It’s called a Private Key for a reason, it needs to be guarded and kept private. We say it all the time, but if your private key is compromised your entire SSL certificate is compromised. Hackers and Cybercriminals can literally wreak havoc with your private key.

So be careful where you store it.

Extended Validation Code Signing certificates actually come with their private keys stored on a physical hardware token. But you can store any private key on a physical hardware token—it doesn’t have to just be EV keys.

And frankly, we recommend doing that. Don’t store your private key on your network where someone unauthorized can access it. Store your private key in a physical hardware token that can be physically accounted for at all times. This adds a beneficial additional layer of security. Now someone actually has to physically obtain the key before they can use it.

We recommend storing your private keys on physical hardware tokens.

Now, let’s move on to DJI and Kevin Finisterre

Here’s how not to run a bounty program

Bounty programs are becoming more and more common. If you don’t already know, basically a company partners with white hat hackers (good hackers) to try to find vulnerabilities in their networks and systems before a malicious actor can find them.

DJI, a Chinese technology company, recently kicked off its own bounty program. Finisterre and his team contacted DJI shortly after to inquire about whether the private key they found was within the scope of its bounty program. DJI responded that it was and the two sides began negotiating around the $30,000 bounty.

Where things fell apart is that DJI didn’t want the bounty publicly disclosed. That’s a problem for most white hat hackers because the notoriety that comes with finding these bugs is worth as much, if not more than the cash prize. It’d be like getting to meet your favorite celebrity but being forced to sign a non-disclosure agreement that prevented you from telling anyone.

That’s a non-starter.

After negotiations broke down, Finisterre went public anyway. His account has been circulating the web ever since.

DJI, for its part, has no launched a website for its bounty program where it clearly lists its terms and conditions. This is a step in the right direction, but it’s also something that probably should have been done before any of this ever happened.

Regardless, just remember: be careful where you store your private

Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.