Chinese Drone Giant DJl Launches Bug Bounty Program

Chinese drone-maker DJl has launched a bug bounty program to help identify issues with its software, just weeks after the US army banned its products over security concerns.

The DJl Threat Identification Reward Program will aim to discover problems that could lead to the exposure of users’ personal data – including photos, videos and flight logs – as well as any issues that could cause “app crashes or affect flight safety.”

DJl customers are increasingly modifying their products at home in a bid to circumvent no-fly zones, as well as geofencing restrictions and altitude limits the firm has placed on its products, it emerged recently.

Rewards for bug bounty participants start at $100 and could reach as high as $30,000 depending on the potential impact of the threat, the firm said.

“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention,” said DJI director of technical standards, Walter Stockwell.

“DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make.”

As well as the bug bounty program and other efforts to partner with researchers and academics to improve security, DJl said it is implementing a new “multi-step internal approval process” to review any new software before it’s released.

It admitted that in the past, researchers have been frustrated by the lack of a formal channel via which to contact DJl with any potential security issues.

“We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement,” Stockwell said. “We value input from researchers into our products who believe in our mission to enable customers to use DJI products that are stable, reliable and trustworthy.”

Earlier this month, the US Army issued an internal memo effectively banning use of DJl products “due to increased awareness of cybersecurity vulnerabilities.”

What’s Hot on Infosecurity Magazine?