Late in August DJI launched their “Bug Bounty” program after hackers had been able to bypass DJI’s geo-fencing. Around the same time, the US army stopped using DJI’s products because of ‘cyber vulnerabilities’. Apparently, the program has been quite the success and DJI is now planning to make the first payouts, according to DroneLife. The combined payout is in excess of $30,000 to multiple researchers.
Bug bounty payday
No money has exchanged hands yet but various researchers have mentioned that their bug reports were successfully submitted and that they have provided bank account information to DJI to receive payouts. One of the payouts is said to be a ‘top bounty’ of $30,000, the reward for a security flaw of the highest possible level.
Walter Stockwell, DJI Director of Technical Standards, had this to say about the ‘Bug Bounty’ program:
“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention. DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make.”
In their press release, DJI said about their ‘Threat Identification Reward Program’, the official name of their ‘Bug Bounty’ program, that its goal is to discover threats to the integrity of their users’ private data, such as photos, videos and flight logs. The program also aims to find other vulnerable areas that may reveal proprietary source codes and backdoors to bypass safety certifications, such as geo-fencing.
In the same release, DJI mentioned that a special website with full program terms and a standardized form for reporting bugs would be developed. We have yet to see such a website, although the dedicated email firstname.lastname@example.org has been available since the launch of the program. DJI promised to pay out rewards ranging from $100 to $30,000 for qualifying threats. The lack of a fully developed program and website for reporting the threats may be an indication that this ‘Bug Bounty’ program was put together quickly after DJI received negative press about the vulnerabilities in their software.
DroneLife continues to report that some of the researchers who are still waiting to receive payment for their original claims, have already submitted new bug reports. This may be an indication of a relationship being somewhat formalized and friendly between DJI and the hackers they have been fighting not so long ago. DJI does ask researchers to refrain from publicly discussing their successful submissions.
A message from DJI to a security researcher. Photo: DroneLife
DJI is not the first, nor will it be the last, company that introduces a bug reporting program. Facebook, for instance, launched a similar bug bounty program back in 2011. All hardware and software, especially when newly developed, contains weak spots. The point is to identify them and to fix them. DJI reaching out to hackers and researchers to help them find and fix these vulnerabilities must be seen as something positive as it will ultimately lead to improved software and hardware and thus address the safety and security concerns of commercial drone pilots and government agencies.