Dronelife understands that DJI has agreed to pay out a combined total in excess of $30,000 to multiple security researchers as part of its Bug Bounty program.
No money has yet been paid out, but several researchers have confirmed their bug reports have been successful and that they have handed over bank details to DJI for payment. That total includes at least one ‘top bounty’: $30,000 – the reward for a security flaw judged to be of the highest possible threat level.
The initiative was launched in August in response to security concerns that came to public attention over the summer, as hackers were able to override the manufacturer’s geofencing system and the US Army halted the use of DJI equipment due to ‘cyber vulnerabilities’.
Bug bounty program still not up and running
The official reveal of the DJI bug bounty program stated the following:
The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create. The program is also seeking vulnerabilities that may reveal proprietary source codes and keys or backdoors created to bypass safety certifications.
Rewards for qualifying bugs will range from $100 to $30,000, depending on the potential impact of the threat. DJI is developing a website with full program terms and a standardized form for reporting potential threats related to DJI’s servers, apps or hardware. Starting today, bug reports can be sent to email@example.com for review by technical experts.
However, no website has yet been launched detailing the full terms and conditions of the program, and no money has yet been transferred to successful bug finders. This slow progress suggests that the bounty program was hastily thrown together in response to an increasing number of negative stories about DJI’s data security.
We also understand that some of the researchers with successful claims have already submitted new reports detailing new bugs, despite no money exchanging hands for the original bounties. So it looks like an amicable relationship is developing between DJI and the same hackers the company was fighting against not so long ago. Successful bug finders have also been asked to refrain from discussing the details of their reports for the time being.
This news goes some way to confirming what we suspected already: that DJI’s software contains security vulnerabilities. But it’s promising that the company appears willing to act upon these issues. It will be interesting to see how the bug bounty program progresses and how DJI deals publicly with its results. At the moment, it looks like a collaborative move that could help foster a more positive relationship between the world’s most popular drone manufacturer and the security community. It should also (eventually) plug those holes in security and go some way to reassuring concerned commercial pilots.