DJI to Offer “Bug Bounty” Rewards for Reported Drone Software Vulnerabilities
Bug bounties are nothing new in the consumer tech space. Plenty of companies offer some sort of reward program for users who find and report specific flaws in a company’s software—most notably Google. But what makes this story noteworthy is the fact that the manufacturer behind it, DJI, has launched theirs after a much publicized falling out with the U.S. military.
DJI is by far the world’s largest and most successful consumer drone manufacturer, holding roughly half of the overall market share for consumer drones. Their easy-to-use and fairly affordable products have clearly caught the attention off consumers around the world, but they also caught the attention of the U.S. military. The Army began contracting with DJI to use their drones for a number of different programs. That contract ended earlier this month where DJI’s drones were found to have major security vulnerabilities that allowed hackers to find and collect all kinds of user data through a simple Google search.
In a statement on Monday, DJI said the new Threat Identification Reward Program is part of a “renewed focus on addressing concerns about DJI product security.” The company plans to partner with security researchers and academics in an effort to improve their products’ security.
“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention,” DJI Director of Technical Standards Walter Stockwell said in the statement. “DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make.”
The statement doesn’t make mention of the Army’s decision to ground their drones, but the specific issues that DJI said it is hoping to solve with the new program are, word-for-word, the issues highlighted by the Army. Those security flaws include the integrity of users’ private data, such as flight logs, photos, and videos. DJI said it also hopes to solve issues around app crashes and flight safety.
“We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement,” Stockwell said. “We value input from researchers into our products who believe in our mission to enable customers to use DJI products that are stable, reliable and trustworthy.”
Rewards for qualifying bugs will range between $100 to $30,000 depending on the potential impact of the threat, DJI said. The company is developing a website with full program terms and a standardized form for reporting possible bugs.