DJI is launching a ‘Bug Bounty’ program, in a move that will see the company work with external consultants, hackers and security advisors to improve software security and ease concerns over data vulnerability.
Over the past couple of months, a number of security issues have been discovered in DJI’s software. These have ranged from hot patching capabilities – code that allows the Go app to be updated without the awareness of the user – to the ‘cyber vulnerabilities’ that led to the US Army grounding its DJI flights.
There have also been questions raised regarding how much data the Chinese manufacturer is gathering. After announcing a silent mode earlier this month that ensures no data is transmitted during flights, DJI has now made a second move to appease concerned pilots.
Bug Bounty program will pay for uncovered software issues
DJI is launching a “bug bounty” program. The point is to embrace the people who have been working so doggedly to identify issues with the company’s software. Instead of fighting them, the plan is to reward those who discover points of concern.
Depending on how serious the issue is, rewards for bugs will range from $100 to $30,000. DJI is developing a website with full program terms and a standardized form for reporting potential threats related to DJI’s servers, apps or hardware. Starting today, bug reports can be sent to email@example.com for review by DJI’s technical team.
DJI Threat Identification Reward Program
The DJI Threat Identification Reward Program is part of an expanded commitment to work with researchers and others to responsibly discover, disclose and remediate issues that could affect the security of DJI’s software.
“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention,” said DJI Director of Technical Standards Walter Stockwell. “DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make.”
The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create. The program is also seeking issues that may cause app crashes or affect flight safety, such as DJI’s geofencing restrictions, flight altitude limits and power warnings.
DJI is Waking Up to Concerns
The DJI Threat Identification Reward Program is part of a renewed focus on DJI product security – one that has arguably been forced by the developments over the past few weeks. The company wants to work with security researchers and academics who have a common goal of trying to improve the security and stability of DJI products. DJI is also implementing a new multi-step internal approval process to review and evaluate new app software before it is released to ensure its security, reliability and stability.
This change in procedure is significant. Internal reviews are the best way to catch rogue code before it gets distributed to users around the world. It’s also adding a much needed layer of accountability to DJI’s technical team.
Despite there being plenty of coverage around the issues of DJI and data security, it’s difficult to say how much of this will have gone way over the heads of your average DJI pilots. Although security is a priority for a number of commercial and government operators working on sensitive projects, the majority of users will be far too busy flying to think twice about how secure DJI software is.
An interesting collaboration
The new bug bounty program offered by DJI could be the start of an interesting dynamic between hackers and the popular drone manufacturer. There are plenty of individuals involved in reverse engineering the DJI Go app, modding the software to bend enforced flight restrictions and personalize their flight experience. But some members of the very same group have been more focused on investigating security concerns.
If these bounties go ahead, DJI could be paying the same individuals it was criticizing as recently as last month.
DJI has not previously offered formal lines of communication about software issues to security researchers. Many, according to DJI, have raised their concerns on social media or other forums.
“We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement,” Stockwell said. “We value input from researchers into our products who believe in our mission to enable customers to use DJI products that are stable, reliable and trustworthy.”