Press Releases

DJI Launches New Threat Identification Reward Program: offers ‘bug bounty’ of up to $30,000 for qualifying bugs

DJI is addressing the U.S. Army ban on using its drones because of alleged “cyber vulnerabilities.” It is establishing a “bug bounty” program and will pay out from $100 to $30,000 to anyone who discovers “issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create.

This is a smart initiative from the drone maker to quickly turn around the negative tide it has been surfing lately. It had previously not offered formal lines of communication to security researchers and owners who desired to report hardware and software issues and concerns. By partnering with security researchers, academics and other interested parties, DJI could design, engineer and build some of the safest and most trustworthy drones on the market.

PRESS RELEASE

2017-08-28

DJI To Offer ‘Bug Bounty’ Rewards For Reporting Software Issues

Threat Identification Reward Program Will Address Software Concerns

August 28, 2017 – DJI, the world’s leader in civilian drones and aerial imaging technology, is establishing a “bug bounty” program to reward people who discover security issues with DJI software. The DJI Threat Identification Reward Program is part of an expanded commitment to work with researchers and others to responsibly discover, disclose and remediate issues that could affect the security of DJI’s software.

“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention,” said DJI Director of Technical Standards Walter Stockwell. “DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make.”

The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create. The program is also seeking issues that may cause app crashes or affect flight safety, such as DJI’s geofencing restrictions, flight altitude limits and power warnings.

Rewards for qualifying bugs will range from $100 to $30,000, depending on the potential impact of the threat. DJI is developing a website with full program terms and a standardized form for reporting potential threats related to DJI’s servers, apps or hardware. Starting today, bug reports can be sent to bugbounty@dji.com for review by technical experts.

The DJI Threat Identification Reward Program is part of a renewed focus on addressing concerns about DJI product security, including new efforts to partner with security researchers and academics who have a common goal of trying to improve the security and stability of DJI products. DJI is also implementing a new multi-step internal approval process to review and evaluate new app software before it is released to ensure its security, reliability and stability.

DJI has not previously offered formal lines of communication about software issues to security researchers, many of whom have raised their concerns on social media or other forums when they could not determine how best to bring these issues to DJI’s attention.

“We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement,” Stockwell said. “We value input from researchers into our products who believe in our mission to enable customers to use DJI products that are stable, reliable and trustworthy.”