DJI Launches ‘Bug Bounty’ Initiative for Software Security Enhancements
A New Path for Collaboration in Threat Identification
Key Takeaways
- DJI announces a new ‘bug bounty’ program aimed at encouraging security researchers to report software vulnerabilities.
- Rewards for identified security issues can range from $100 to $30,000 based on the severity of the threat.
- The initiative underscores DJI’s commitment to improving the security measures surrounding its software solutions.
- Bug reports can now be submitted directly to DJI’s technical team via a dedicated email address.
- This program is part of a broader strategy to engage with the security community and remain responsive to potential software concerns.
In a significant move to bolster software security, DJI—renowned globally for its cutting-edge civilian drones and aerial imaging technology—has unveiled a new “bug bounty” initiative. Launched on August 28, 2017, the DJI Threat Identification Reward Program is a strategic effort designed to incentivize individuals who identify security vulnerabilities within DJI’s software.
A Collaborative Approach to Security
DJI emphasized the importance of collaboration with security researchers, academics, and independent experts who play an invaluable role in identifying potential software issues. Walter Stockwell, Director of Technical Standards at DJI, stated, “Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention.” This illustrates DJI’s desire to learn from the insights offered by these experts to continuously enhance the security and reliability of its products.
Focus on Data Integrity
The primary goal of the Threat Identification Reward Program is to mitigate risks that could compromise users’ private data, including personal information, as well as details related to photographs, videos, and flight logs. DJI is also keen to uncover vulnerabilities that may expose proprietary source codes or safety-critical secrets meant to prevent unauthorized access.
Incentives for Contributions
Rewards for reporting qualified bugs are set to vary significantly, ranging between $100 and $30,000 depending on the potential implications of the security threat. To facilitate the reporting process, DJI is creating a comprehensive website that will detail the program’s terms and provide a standardized submission form for reporting any potential threats linked to DJI’s applications, servers, or hardware. Effective immediately, individuals can begin submitting bug reports directly to DJI at bugbounty@dji.com, where they will be assessed by a team of technical experts.
Building Trust through Transparency
The introduction of this bounty program reflects DJI’s renewed focus on resolving product security concerns. The company aims to forge partnerships with security researchers and academics who share the mission of enhancing the security and stability of DJI products. Alongside this initiative, DJI is also instituting a multi-step internal approval process for the review and evaluation of app software prior to its release, ensuring that new updates adhere to strict security, reliability, and stability standards.
Historically, DJI had not provided a formal protocol for security researchers to report software issues, often leading to concerns being voiced in social media or other public forums. Stockwell stressed the significance of establishing clear communication lines between DJI and the research community: “We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement.” He added that input from researchers is invaluable to building products that are stable, reliable, and trustworthy.
