How a DJI Employee’s GitHub Leak Exposed Critical SSL Keys and Cost $1.16 M

Case Overview

Shenzhen Intermediate People's Court sentenced a former DJI software engineer to six months' imprisonment and a fine of RMB 200,000 for violating China's commercial‑secret protection law.

The employee uploaded source code of DJI’s agricultural‑drone management platform and spray‑system modules to a public GitHub repository, causing an estimated economic loss of RMB 1.164 million.

Technical Background

Vulnerability discovered (2017) : Security researcher Kevin Finisterr reported a critical flaw that allowed an attacker to extract the private key of DJI’s SSL/TLS certificate. Possession of the private key enables decryption of TLS traffic, impersonation of DJI servers, and unrestricted access to client‑side data such as flight logs and user information.

Impact : The compromised key rendered all previously issued certificates ineffective, exposing sensitive data stored on DJI’s backend systems.

Source‑code Leak Procedure

According to DJI’s investigation, the former employee executed a Git command that pushed the proprietary modules to a public repository, for example:

git add .
git commit -m "Initial commit"
git remote add origin https://github.com/username/dji-agri-drone.git
git push -u origin master

Because the repository was set to “public”, the code became instantly searchable and downloadable by anyone.

Legal Assessment

Chinese criminal law classifies the unauthorized disclosure of commercial secrets that results in serious consequences as the crime of “infringing commercial secrets”. The court considered the employee’s voluntary confession, deletion of the code, and cooperation with investigators as mitigating factors when determining the sentence.

Key Takeaways

Source code of high‑tech products is treated as a commercial secret under Chinese law.

Public repositories on platforms such as GitHub expose code to the global Internet; organizations must enforce strict access controls and employee training.

Compromise of SSL private keys can undermine the entire security architecture of a company’s services.

Legal penalties for commercial‑secret violations in China can include imprisonment and substantial fines.