Serving tech enthusiasts for over 25 years. TechSpot means tech analysis and advice you can trust.

Sounding off: A nonprofit is paying for proofs of concept that bypass product locks, turning one-off hacks into broader tests of ownership. At stake is a basic question about modern hardware: if companies can remotely disable features, enforce digital rights management on parts, or end software support, how much of a device do buyers actually own after they’ve paid for it?

When Google ended support for its first- and second-gen Nest thermostats in October, many users saw their devices lose key functions. The thermostats could still adjust temperature locally, but networked features tied to Google’s services stopped working, leaving some owners feeling as if their expensive hardware had been turned into e-waste on the wall.

Those kinds of restrictions are the focus of Fulu, a nonprofit called Freedom from Unethical Limitations on Users. The group, founded by right-to-repair advocates Louis Rossmann and Kevin O’Reilly, runs a bounty program modeled on software bug bounties. Instead of paying people to find security flaws, Fulu pays for technical methods that disable unpopular restrictions or restore products that manufacturers have abandoned.

Fulu offers $10,000 to the first person who can demonstrate a working fix for a targeted device. Donors can add more money to individual bounties, and Fulu will match donations up to an additional $10,000. In some cases, the total has risen far beyond the base amount; a bounty on the Xbox Series X, which seeks a workaround for disk-drive encryption that blocks unauthorized replacements, has grown to more than $30,000.

The organization’s bounties focus on devices it considers hostile to their owners. That includes GE refrigerators that use DRM to lock water filters, Molekule air purifiers that rely on NFC chips to block third-party filters, and discontinued Nest thermostats that lost official software support.

Fulu warns participants that pursuing these fixes can collide with US copyright law. Section 1201 of the Digital Millennium Copyright Act prohibits bypassing passwords or encryption, or providing tools to do so, without the manufacturer’s permission. That means reverse-engineering a device’s firmware or DRM systems, even to keep it functional, can expose developers to legal risk.

Fulu’s first major payout came after Google ended support for the early Nest models. The nonprofit offered a bounty for a software fix that would restore functionality to the thermostats.

Cody Kociemba, a Nest user and follower of Rossmann’s YouTube channel, created a workaround and published it on GitHub under the name NoLongerEvil-Thermostat, along with a website, No Longer Evil, devoted to the project. He later learned that another entrant, using the name Team Dinosaur, had submitted a working solution shortly before him.

Even so, Fulu awarded the full bounty to both Kociemba and Team Dinosaur, paying each roughly $14,000. O’Reilly has said that they do not expect to repeat that approach regularly, but that, for the first payout, it was essential to support multiple people who took on the work and the associated risks.

The group’s second payout went to Lorenzo Rizzotti, an Italian student and coder who has experience in reverse engineering. Fulu had posted a bounty on Molekule’s Air Pro and Air Mini air purifiers, which use NFC chips in their filters to ensure replacements come only from Molekule. The goal was to disable that DRM so the machines could operate with any compatible filter. Rizzotti submitted proof that he had found a way to do this and received the bounty.

Rizzotti chose not to publish his method, saying he did not feel safe facing the possible legal consequences. He told Fulu that for him, proving the fix existed was enough: "I proved that I can do it. And that was it."

Fulu paid the bounty anyway. O’Reilly has said that the project is at least as much about highlighting the impact of Section 1201 as it is about distributing specific fixes. He also argues that the law, now more than two decades old, has not kept pace with how deeply software-controlled restrictions shape modern hardware.

"We need to show how ridiculous it is that this 27-year-old law is preventing these solutions from seeing the light of day," O’Reilly told Wired. "It’s time for the laws to catch up with technology."