# DJI bug bounty NDA is 'not signable', say irate infosec researchers

Chinese drone maker DJI faces questions from infosec researchers about its bug bounty programme. Sources have told The Register that a non-disclosure agreement (NDA) they were invited to sign would result in the company "owning their actions". DJI's scheme to pay those that highlight security weaknesses, announced months ago …

1. #### What exactly is objectionable?

The article doesn't really go into what is objectionable about the NDA.

I'd assume that the signing of an NDA is a reasonable request. It also seems fair that, to be paid for a piece of work, you should hand that work over to the company paying you. Aren't you effectively selling your work to the company?

So, what have DJI slipped in there which people objecting to, and which is different from other bug bounty schemes?

1. #### Re: What exactly is objectionable?

" It also seems fair that, to be paid for a piece of work, you should hand that work over to the company paying you."

That's a bit the wrong way around. They don't pay someone to do some work. They reward someone who does work for them for free and has a good enough relationship that they won't exploit this work or hand it over to crims or TLAs for an even bigger fee.

The security researchers see it as doing the company a favour and hence getting a reward, the company may see it as an extortion racket (but it's only due to their failings).

However if the agreement to be given the reward for your hard work is unfair or gives too much power to the company to shut you down and keep others at risk for ever more and even not pay you at all once you've signed it then you might be a bit irked.

In another way if you have 30 top security researchers who are very bothersome with their constant stories about security issues and you can get them all to sign an NDA which says they are not allowed to mention a security bug ever again (and they might get a rewards, maybe) then you have shut down dissent and you can carry on with insecure software.

I was genuinely considering buying a DJI drone but stories like this where they don't seem to care about security and prefer to try to ensure that issues aren't rectified they are suppressed mean that I won't risk it.

2. #### Generic NDA translated into English

Our product is crap. We know it is fundamentally unfit for use in your project and by our other existing and potential customers. This information must not escape into the wild until after you are thoroughly committed to embedding our product in yours. At that time you and our other customers must each individually develop the same bodge to make your project minimally successful.

3. #### Re: What exactly is objectionable?

To NDA - "this" whatever "this" may be could be considered normal

To pass ownership - might be okay - if paid up front - that is, you know what you are getting in advance. But not, imho, if they are evaluating it and decide to give you nothing. Maybe you found a patentable effect - and they just take it for nothing.

Finally, between the lines of what people are saying about the formal NDA - sounds like they are making an attempt to also own "future" aka "undisclosed" (to them) information you have. Who can say what you have at time X. Their lawyers contend you had it, but did not disclose fully - and so violated the NDA ownership transfer.

Also not heard - what court are (so-called) breaches of the NDA tried in. USA, Europe, India, ..., China? Also make a big difference.

2. "what have DJI slipped in there..."

From the article:

"the NDA has effectively prohibited them from carrying out any further work"

1. #### Re: From the article:

I think maybe they were hoping someone would disclose (the actual text of, the relevant part of) the NDA, not the summary.

2. #### thats nice

I think we all can read that in the story but the question was HOW did they do that? What words made this the case?

3. #### Why not post a copy of the NDA?

The NDA is some legalese protecting something. It itself isn't protected, certainly you see it before agreeing to it.

1. #### Re: Why not post a copy of the NDA?

How do you know the NDA isn't itself protected by copyright, or have you seen it, in which case, why not post a copy? There's a good chance that DJI only sends out the NDA to people who apply and there's nothing to stop them controlling distribution using copyright law.

4. #### Computer Fraud and Abuse Act

I'm assuming these people aren't randomly attacking drones that happen to pass by overhead but are actively trying to find bugs in the software of drones that either belong to the security researchers or which they have been given permission to investigate by their owners.

If DJI think it's a criminal offence to access a computer that belongs to you without their permission, then there's rather more to worry about than an NDA.

1. #### Re: Computer Fraud and Abuse Act

This is the core theme of all the DJI articles I've read. Every arcticle seemingly shapes DJI as a owner of your work or you. Ultimately, you become their scapegoat AND they profit from your work.

Maybe hackers shouldn't be making DJI defensible.

5. can someone please publish the NDA so we can see what it says?

Or do you have to sign an NDA before you can see the real NDA?

1. That would be in breach of the NDNDAA

1. "That would be in breach of the NDNDAA"

The first rule of NDNDAA is not to talk about NDNDAA

<this could go on for a while>

1. #### <this could go on for a while>

I don't think that's necessary. For an agreement covering a domain V, a non-disclosure agreement only needs to specify a (an impermeable) boundary surface $S = \partial V$. Since the boundary of a boundary is zero, the second non-disclosure agreement suffices to let nothing out. I suppose the only loophole might be if your domain has a non-trivial topology... [1]

[1] And think yourself lucky that I haven't tried any jokes about there being p-forms to fill in [2].

[2] Dammit!

2. > That would be in breach of the NDNDAA

And we would share the NDNDAA but that would fall foul of the NDNDNDAAA. Again, I can't share the NDNDNDAAA specifics, but I can confirm that it talks a lot about turtles.

6. #### I suspect if you sign the NDA you can't talk about even if you're looking for bugs.

IOW All information about wheather a researcher is even looking for ways in disappears into an information black hole.

Which means they can claim "We have no security issues. You can ask any of the researchers in this area."

Reporter asks researcher (who's signed NDA). "I know nothing of any bugs. I can neither confirm nor deny that I am investigating any vulnerabilities. I cannot comment on their security. Goodbye."

It may be like those "National Security Letters" the FBI have been issuing to ISP's. They can't tell a customer they're being spied on. They can't tell them if the customer asks them and they can't even answer if the customer asks "Have you received an NSL on my account?"

If I'm right would that sound somewhat Orwellian to you?

Of course releasing a copy of the full NDA would settle matters more or less instantly.

After all if DJI has nothing to hide, they have nothing to fear. Right?

1. #### Re: I suspect if you sign the NDA you can't talk about even if you're looking for bugs.

"Reporter asks researcher (who's signed NDA). "I know nothing of any bugs."

No NDA requires you to lie. The researcher would not have to disclaim knowledge of bugs, but could say "I am contractually prohibited from commenting on that." Which would be a useful thing to know.

NDAs tied to bug bounty programs seems like a wonderful way of suppressing research and keeping the public from learning things that they really should know about. I hope that there are plenty of researchers who won't involve themselves in such schemes.

1. #### "NDAs tied to bug bounty programs seems like a wonderful way of suppressing research "

Exactly my point.

Please note. I'm not saying that DJI's is doing that, but not being transparent about it does make it look that way, doesn't it?

7. No full test, but more details here:

https://dronelife.com/2017/11/16/dji-flawed-bug-bounty-program/

8. Fool me once, shame on you; fool me twice, I'll sue you for breach off NDA

9. #### Fools

It's almost as if DJI want researchers to go dark.

Perhaps they also want to go out of business when the bad guys get to work using all the bugs that nobody would now be telling them about.

10. #### You product is shit!

Thank you.

Sign this and take \$30,000. Oh, and you must never speak of this again.

You must never speak of our product again. To anyone.

Sounds a sensible scheme to me if they can get away with it.

.

.

.

An alternative view is that there is a highly paid research programme. Entry requirements involve locating a significant unknown security bug. After that you are inside and full commercial confidentiality rules apply. You get paid for your research but you don't get to brag about it. Just like the employees don't get to brag in public about the bugs they have found and fixed as part of their job.

I wonder which this is?

11. #### Dont sign, publish...

Just start publicizing the bugs. That will wake them up.

1. #### Re: Dont sign, publish...

That's precisely what he did... ;-)

12. #### The whole NDA thing is rather questionable anyhow

I mean if I find out that a certain kind of LED lights is a safety hazard as it'll expose live wires when you pull on some part to hard, you damn well tell the public.

We are far to forgiving against manufacturers of software. They often purposefully built security issues into their software and instead of issuing re-calls we allow them to patch their software as often as they like.

13. #### Company in Communist China...

...has an NDA which is politically objectionable to those in the West. And the shock is what... exactly?

## POST COMMENT House rules

Not a member of The Register? Create a new account here.