Look, we know you're all hacking DJI drones. How 'bout a bug bounty?

Firm says it'll pay out up to $30k for big holes

Bending to public pressure as more and more drone hackers break into their kit, Chinese firm DJI has now announced a bug bounty program.

"Security researchers, academic scholars and independent experts often provide a valuable service by analysing the code in DJI's apps and other software products and bringing concerns to public attention," said DJI's director of technical standards, Walter Stockwell, in a canned quote.

This comes hot on the heels of hackers discovering hot-patching frameworks hidden inside DJI's app, which it removed last week following coverage by El Reg.

Formally known as the DJI Threat Identification Reward Program, the bug bounty scheme promises to target "issues that may create threats to the integrity of our users' private data", as well as "issues that may ... affect flight safety, such as DJI's geofencing restrictions, flight altitude limits and power settings". Payouts will range between $100 and $30,000 "depending on the potential impact of the threat". Conscientious drone hackers are invited to email bugbounty@dji.com with details of flaws and fails.

This is clearly a play at crowdsourcing plugs for the well-publicised holes that allow drone-diddlers to bypass DJI's flight restrictions. In the company's own words, this forms part of "new efforts to partner with security researchers and academics who have a common goal of trying to improve the security and stability of DJI products".

As we noted previously, there is tension between those users who don't want anyone putting limits on how they choose to use their property, irrespective of whether they choose to obey the law or not, and DJI's desire to avoid the wrath of government agencies around the world.

The company also says it is implementing a new "multi-step" approval process for evaluating new app software before releasing it into the wild, which implies that the JSPatch and Tencent Tinker hot-patching frameworks (mentioned above) may have been included as a genuine oversight from internal testing in the past. ®


Biting the hand that feeds IT © 1998–2017