Tesco sent me a £5 voucher
In 2000 when I told them about a bug in their checkout which could send card details without SSL. Course in those days you could have a night out on a fiver...
Researcher: DJI RCE-holes offered me $500 after I found Heartbleed etc on its servers
Chinese drone-maker DJI’s bug bounty programme has been struck with fresh controversy after a security researcher claimed he was offered just $500 for reporting, among others, the years-old Heartbleed vulnerability. Infosec chap Sean Melia – no stranger to bug bounty programmes – said he discovered that DJI’s servers not only …
-
Tuesday 28th November 2017 14:58 GMT Anonymous Coward
Goes all the way up to 30K
Looking at their bug bounty program, they'll payout up to 30K for 'critical' which includes:
obtaining important user information like credit cards + social security numbers. By the looks of the SQLi + RCE, this looks like it could be obtainable. Crucially, as bug hunter should, he stopped and logged the vulnerability. If he'd used the RCE to pivot into the internal VLAN's I'd imagine the damage would be many times worse.
-
Tuesday 28th November 2017 16:07 GMT Anonymous Coward
Re: Goes all the way up to 30K
What is your point? If it is that DJI is lying about what they'll pay for bugs, I agree. I think at this point everyone knows DJI is a very shady corp. I don't understand how governments don't weigh the obviuos ethics of DJI in thier bidding.
Another DJI story, another DJI failure.
-
-
Tuesday 28th November 2017 17:32 GMT pink_unicorn
Ham-fisted treatment
The way DJI treats security researchers tells me that unless DJI changes their attitude it is heading towards major security-related IT incident. Well done DJI, piss off more people.
On a separate note...
To be honest they are making things clear in their Privacy Policy:
"(...) we cannot and do not guarantee that your information will not be accessed, viewed, disclosed, altered, or destroyed by breach of any of our physical, technical, or organizational safeguards."
-
Wednesday 29th November 2017 04:29 GMT Yet Another Anonymous coward
Re: Ham-fisted treatment
That is at least honest and straight forward.
Typical claim is that your data is totally safe and secure - unless we get hacked, or our 3rd world customer support contractor gets hacked, or they decide to steal your data, or one of the advertisers we share it with, or one of their partners.
-
-
Tuesday 28th November 2017 18:27 GMT David 55
"Finding private keys on Github should not be happening to a company which presents itself as a successful multinational."
Mistakes (and shitty programmers) happen in successful multinationals too. Offering $500 for an exploit that provides access to customer data is a little extreme though.
-
Wednesday 29th November 2017 03:29 GMT Tim Seventh
Researcher turned down a $30,000 bug bounty
and from the linked source, JDI didn't really do anything for him except for blaming him with colorful words. The two developers were not related to the person who sent Kevin the offensive letter ('we can sue you with computer misuse act, etc' letter) which caused Kevin to turn against JDI.
So loads of garbage and cutting it short, JDI is still the same piece of sh*t.
Biting the hand that feeds IT
