Leading Chinese drone maker DJI has launched a new bug bounty programme offering security researchers and white-hat hackers up to $30,000 (£23,148) to find and report bugs and vulnerabilities in its products. The announcement comes just weeks after the US Army ordered its service members to stop using drones made by the firm due to "cyber vulnerabilities" in its unmanned aerial vehicles and systems.
The company unveiled its new "DJR Threat Identification Reward Program" on Monday (28 August) as part of its "expanded commitment" and "renewed focus" to work with security researchers to uncover, report and address issues that affect the security of its servers, apps and hardware.
People who do find vulnerabilities can earn between $100 to $30,000, depending on the severity and potential impact of the threat.
"Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI's apps and other software products and bringing concerns to public attention," DJI director of technical standards Walter Stockwell said in a statement. "DJI wants to learn from their experiences as we constantly strive to improve our products, and we are willing to pay rewards for the discoveries they make."
A separate dedicated website detailing the programme's terms along with a standardised form to report potential threats will soon be published, DJI said. The company is also partnering with security researchers and academics to help bolster the security and stability of its products.
"We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement," Stockwell said. "We value input from researchers into our products who believe in our mission to enable customers to use DJI products that are stable, reliable and trustworthy."
DJI will also implement a new "multi-step internal approval process" to review and evaluate new app software before it is rolled out to the public "to ensure its security, reliability and stability".
As part of its efforts to improve drone security, the company has introduced updates to its DJI Go and Go 4 apps to pull third-party add-ons that collected user data without permission.
DJI removed a third-party plugin JPush after its security researchers discovered it collects "extraneous packets of data" including a list of apps installed on a user's Android device and relays it to JPush's servers.
"DJI did not authorize or condone either the collection or transmission of this data, and DJI never accessed this data," the company said in a blog post. "JPush has been removed from our apps, and DJI will develop new methods for providing app status updates that better protect our customers' data."
The company also took down "hot-patching" plugins JsPatch for iOS and Tinker for Android that allowed the DJI to update elements within their drone apps without updating the entire app itself.
The newly announced bug bounty programme and security efforts come as DJI, which is estimated to own 70% of the global market for consumer and commercial drones, continues to deal with hackers infiltrating its software to bypass its built-in geofencing restrictions for no-fly zones, altitude and speed limits.
"I find it funny that DJI, who did not care for security concerns of the community, now comes up with a bug bounty program," Andreas Makris, a hacker going by the online name bin4ry, told Motherboard. "We showed them a great deal of security flaws in their products already, and they did not care about bugs, only those bugs/exploits which changed the app behaviour in ways users wanted the app to be.
"They only tried to close the door for us to modify it and did not fix the problem itself. So I am REALLY interested if they want to change for real or if this is all only a game to look better in public."