Have a background in cyber-security? Know enough about code to spot a vulnerable back door? Then DJI has an offer you can’t refuse. Of course, you can refuse it. But by accepting it, you could earn as much as $30,000 US. That’s right: thirty grand.
DJI today announced what it’s calling a ‘Bug Bounty’ – rewards for identifying security issues with DJI software. Officially called the DJI Threat Identification Reward Program, it’s part of what the company describes as “an expanded commitment to work with researchers and others to responsibly discover, disclose and remediate issues that could affect the security of DJI’s software.”
Think of it as a scavenger hunt for code issues. The bigger the issue, the bigger the potential reward. And by extending the invitation to anyone out there, the company is effectively tapping into the brainpower of anyone who loves a challenge (and/or a reward) across the planet. Plus, many companies have learned the hard way that it’s people on the outside who are often in the best position to spot potential issues or vulnerabilities.
“Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention,” said DJI Director of Technical Standards Walter Stockwell. “DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make.”
The new program is an interesting, proactive approach to several challenges the company recently faced. One was the hacking issue, where some owners of DJI products began essentially disabling or removing DJI software. This was especially a concern with the Geospatial Environment Online, or GEO system – which is a geofence designed specifically to keep drones away from restricted airspace and other sensitive locations.
Some argued the software was too restrictive. However, removing the geofence meant people could fly their drones into illegal or even dangerous situations, which is not a good thing for the recreation/industry as a whole. TDC covered the issue in some depth here.
The other recent issue was a guidance (now being re-assessed, apparently) by the US Army to stop using DJI products. According to research that was not disclosed, the instruction suggested DJI products were at risk of cyber-vulnerability.
In the midst of all that, there were isolated complaints about potential software and safety issues with the Spark. DJI has since improved the Spark software, and a mandatory firmware upgrade goes into effect September 1st. (After that, any Sparks with older firmware will effectively be grounded until the update is made.) There’s also been plenty of chatter this summer in forums and on Facebook about privacy issues in general: Just how much personal data is shared when you fly a DJI product?
Well, the company has clearly been listening. Already, DJI has announced that a coming app upgrade will include a new mode. When enabled, that mode will ensure that data cannot be transmitted over the internet. Today’s announcement takes things further, and makes it clear the company is looking for assistance to stress-test and optimize its software in multiple sectors:
“The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create,” states the release.
“The program is also seeking issues that may cause app crashes or affect flight safety, such as DJI’s geofencing restrictions, flight altitude limits and power warnings.”
And yes, if you find something significant that needs to be addressed, you could be in for some serious money. The full program terms haven’t been released yet, but they are coming soon on a new website. For the moment, DJI is saying the rewards will range from $100 to $30,000, “depending on the potential impact of the threat.”
IT/software security pros who think they’ve already found something – it can be related to DJI’s servers, apps or hardware – can submit as of today. Send reports to email@example.com and your submission will be reviewed.
DJI also says a new and even more comprehensive internal software review, evaluation and approval process is coming to the company itself in order to make its software more bulletproof (secure, reliable, stable). But this is the first time it has opened up the lines of communication to the broader community beyond DJI – where there’s a wealth of untapped knowledge.
“We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement,” says DJI’s Walter Stockwell. “We value input from researchers into our products who believe in our mission to enable customers to use DJI products that are stable, reliable and trustworthy.”