Drone-Maker DJI Wants You to Find Its Weak Spots
China's DJI, which makes popular consumer drones such as those in the Phantom line, has launched a bug bounty program to reward people for finding flaws in its software.
The DJI Threat Identification Reward Program is aimed at security researchers and others, offering various financial rewards, depending on the severity of the bugs that are reported. It comes at a time when the security of DJI's drones and their associated apps is under close scrutiny.
Bug bounty programs are an increasingly popular way for companies to encourage hackers to responsibly disclose the flaws they find, rather than selling that knowledge to criminals who might exploit it. Until now, DJI has not had such a scheme, so people finding vulnerabilities in its products have tended to take their findings to "social media or other forums," the company said.
"Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI's apps and other software products and bringing concerns to public attention," DJI technical standards director Walter Stockwell said in a Monday statement. "We want to engage with the research community and respond to their reasonable concerns with a common goal of cooperation and improvement."
Earlier this month, DJI's drones became the subject of a U.S. Army ban over unspecified "cyber vulnerabilities." Soon after that ban became public, DJI said it was working on an internet-free mode for its drones and apps, in order to allay fears about the company sending sensitive information back to its servers in China.
The firm's smallest drone, DJI Spark, also recently hit headlines when it emerged that a bug was causing the devices to fall from the sky. DJI issued a software update for the Spark this month, warning users that the drones would no longer fly without it.
Also on Monday, DJI said it had updated its Go drone-piloting apps to remove third-party components that collected excessive amounts of data and sent it over the internet. "We will remove plug-ins that are found to cause software security or integrity concerns," the firm said.