DJI is offering cash rewards to anyone who finds a significant bug in its software. The new bug bounty program offers financial incentives ranging from $100 to $30,000 in the hopes that researchers and users alike may find problems related to software security, flight safety, and app stability. This, following a leaked military memo that ordered the US Army to cease their use of DJI products over unspecified 'cyber vulnerabilities.'

The alleged vulnerabilities cited by the military memo were found by the U.S. Army Research Lab and U.S. Navy, which ordered the U.S. Army to stop using 'all DJI products,' and news of the order stirred concerns in the private sector over whether DJI's software was adequately protecting customers' data. Around the same time, DJI introduced an offline mode that allows operators to limit a drone's communications to just its controller.

DJI will soon launch a dedicated bug bounty website with a standardized form through which bug discoveries can be submitted. Until that time, the company advises individuals who have found a bug to report it to the 'bugbounty@dji.com' email address. Only qualified bugs will result in rewards, and specific terms will be detailed on the upcoming bug bounty website.

Press Release

DJI To Offer ‘Bug Bounty’ Rewards For Reporting Software Issues

Threat Identification Reward Program Will Address Software Concerns

August 28, 2017 – DJI, the world’s leader in civilian drones and aerial imaging technology, is establishing a “bug bounty” program to reward people who discover security issues with DJI software. The DJI Threat Identification Reward Program is part of an expanded commitment to work with researchers and others to responsibly discover, disclose and remediate issues that could affect the security of DJI’s software.

“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention,” said DJI Director of Technical Standards Walter Stockwell. “DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make.”

The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create. The program is also seeking issues that may cause app crashes or affect flight safety, such as DJI’s geofencing restrictions, flight altitude limits and power warnings.

Rewards for qualifying bugs will range from $100 to $30,000, depending on the potential impact of the threat. DJI is developing a website with full program terms and a standardized form for reporting potential threats related to DJI’s servers, apps or hardware. Starting today, bug reports can be sent to bugbounty@dji.com for review by technical experts.

The DJI Threat Identification Reward Program is part of a renewed focus on addressing concerns about DJI product security, including new efforts to partner with security researchers and academics who have a common goal of trying to improve the security and stability of DJI products. DJI is also implementing a new multi-step internal approval process to review and evaluate new app software before it is released to ensure its security, reliability and stability.

DJI has not previously offered formal lines of communication about software issues to security researchers, many of whom have raised their concerns on social media or other forums when they could not determine how best to bring these issues to DJI’s attention.

“We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement,” Stockwell said. “We value input from researchers into our products who believe in our mission to enable customers to use DJI products that are stable, reliable and trustworthy.”