Chinese consumer drone maker DJI has announced that it’s starting a bug bounty program and has invited researchers to discover and responsibly disclose issues that could affect the security of its software.
“The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create. The program is also seeking issues that may cause app crashes or affect flight safety, such as DJI’s geofencing restrictions, flight altitude limits and power warnings,” the company said.
The website for the program and a form for reporting potential threats is yet to be set up, so specific details are scarce. What is known, though, is that rewards for qualifying bugs will range from $100 to $30,000 – the final amount will depend on the potential impact of the threat.
Until the website is ready, researchers can send in bug reports to email@example.com.
The company has noted that this step was long overdue.
“DJI has not previously offered formal lines of communication about software issues to security researchers, many of whom have raised their concerns on social media or other forums when they could not determine how best to bring these issues to DJI’s attention,” they pointed out.
The decision to start a bug bounty program comes mere weeks after the U.S. Army ordered its members to stop using DJI drones because of cyber vulnerabilities.
Whether this order was due to the fact that the drones can send flight logs, photos or videos to DJI’s servers is unknown, but the company is working on making it possible for users to disconnect the drone from the Internet while it’s flying, so that the data can’t be sent to servers even by mistake.
Also, the company has been struggling to prevent users from modifying their drone’s firmware so that it can enter no-flight zones (e.g. airports, military installations) defined by the company.