Chinese drone maker launches ‘bug bounty’ program with prizes up to $30,000

In a bid to create “formal lines of communication” with security researchers, Chinese drone maker DJI has started a “bug bounty” program, offering up to $30,000 to those who find and report issues with its software.

Much like Google’s Vulnerability Reward Program, DJI’s Threat Identification Reward Program aims to work with security experts to discover, disclose and fix security flaws in DJI’s software.

“The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create,” the announcement reads. The program also seeks to uncover any issues that may cause app crashes or affect flight safety, such as DJI’s geofencing restrictions, flight altitude limits and power warnings.

Earlier this month, business and government customers voiced concerns about DJI drones sending sensitive footage or images (i.e. of critical infrastructure) as part of a syncing feature server-side. The U.S. Army banned the products and instructed affiliate groups to stop using them due to cyber-security concerns.

It isn’t immediately clear if the bug bounty program has anything to do with the U.S. Army’s ban. However, it is likely part of the reason, considering the ban was issued mere weeks ago.

DJI says the program covers “concerns about DJI product security, including new efforts to partner with security researchers and academics who have a common goal of trying to improve the security and stability of DJI products.”

DJI’s highlights that the bug bounty program is meant to create “formal lines of communication about software issues” to those in a position to find and report them.

The Chinese company, which has offices in New York City, is also kick-starting a multi-step internal approval process to better evaluate new application software before it is rolled out.

The monetary rewards should make for a fine incentive, too. DJI claims it will be handing out rewards in the $100 to $30,000 range for “qualifying bugs,” depending on the potential impact of the threat.