DJI Bug Bounty Program Terms
Welcome to the DJI Bug Bounty Program (hereinafter referred to as the “Program”). This Program and the DJI Security Response Center (hereinafter referred to as the “DSRC”) are initiated and managed by SZ DJI Technology Co., Ltd. (hereinafter referred to as “DJI”). The purpose of the Program is to enhance the information security of DJI’s products and business systems.
DJI places a high value on information security and fully recognizes the important role that security researchers and the broader security community play in helping improve DJI’s security capabilities. DJI encourages security researchers to report vulnerabilities found in DJI’s products or services. For confirmed valid vulnerabilities, DJI will provide appropriate acknowledgment and rewards based on the quality of the submission.
You are required to read and comply with the DJI Bug Bounty Program Terms (hereinafter referred to as the “Agreement”). This Agreement is entered into between you (hereinafter referred to as “you” or the “Reporter”) and DJI, and governs your participation in the DJI Bug Bounty Program and the submission of vulnerabilities related to DJI products and services.
Please read this Agreement carefully and ensure that you fully understand the contents of each clause, especially those that exclude or limit liability, the governing law and jurisdiction clauses, and any separate agreements that apply to the activation or use of specific services. Clauses that limit or exclude DJI’s liability may be highlighted in bold to draw your attention.
Unless you have read and accepted all the terms of this Agreement, you are not authorized to participate in this Program. Your participation in the Program and submission of vulnerabilities to DJI shall be deemed as your acceptance of and agreement to be bound by this Agreement, DJI’s Privacy Policy, and any subsequently published agreements, operational rules, or related terms pertaining to this Program.
If you are under the age of 18, please read this Agreement and participate in the Program under the supervision of a legal guardian.
DJI is committed to assigning dedicated personnel to follow up on, analyze, and respond to every valid vulnerability report submitted by researchers. DJI adheres to and supports responsible vulnerability disclosure practices, and respects the efforts and achievements of every researcher. DJI always prioritizes the interests of its users and makes every effort to protect them.
I. Program Details
1.1 Eligibility Requirements for Participation
You represent and warrant that you meet the following eligibility requirements to participate in this Program:
(1) You are not a current employee of DJI or its affiliates, and are not a direct relative of such employee, an outsourced contractor, or an employee or representative of a supplier or partner who has had a business relationship with DJI within the past six months;
(2) You are not a resident or entity of any country or region that is subject to applicable export control laws and regulations, or designated as a restricted or embargoed party;
(3) You comply with the relevant internal policies of your employer or organization, and it is your responsibility to ensure that your participation in this Program does not violate any such policies. Should your participation breach any of your organization’s policies, you shall bear all resulting consequences.
1.2 Scope of Authorized Testing
The vulnerabilities you submit under this Program must be discovered during your research-based testing activities that fall within the authorized scope defined by this Agreement.
Subject to your acceptance of and compliance with this Agreement and fulfillment of confidentiality obligations, DJI authorizes you to collect vulnerabilities for the purpose of testing and evaluating the security of DJI systems, software, or devices, provided that such activities do not affect the normal operation of the systems being tested, do not endanger user privacy or network security, and are strictly for research purposes.
1.3 Vulnerability Submission Process
1.4 After accessing the DSRC platform at https://security.dji.com, you may submit vulnerabilities related to DJI products and services according to the provided guidelines.
DJI will evaluate your submission, and if it is verified as a valid security vulnerability, DJI will award a bounty of at least CNY 350 per vulnerability. DJI will deduct applicable personal income taxes (if any) from the bounty amount before payment.
1.5 Submissions that meet the requirements and are of high quality will help expedite DJI’s vulnerability assessment process and the issuance of rewards. A high-quality report should include:
1. A detailed description of the vulnerability, including:
a) Step-by-step instructions to reproduce the issue.
b) A non-destructive proof of concept (PoC), such as executing a harmless command like "hello world"in the case of an RCE vulnerability.
2. Detailed information about the testing environment, including:
a) The affected URL, application, code snippet, etc.
b) For product/device-related vulnerabilities, the model number, firmware version, or any other relevant information.
c) Please retain and submit any relevant data from your testing process as part of your report attachments.
You understand and agree that the absence of the above information may hinder DJI’s ability to properly assess the vulnerability, which may in turn affect response timelines and bounty decisions.
1.6 Scope of Submitted Vulnerabilities
(1) Domains: dji.com, dji.net, djicdn.com, djivideos.com, djiservice.org, djiag.com, skypixel.com, robomaster.com, djiits.com.
(2) Applications: DJI Fly, DJI Mimo, DJI Ronin, LightCut, DJI Pilot, DJI SmartFarm, Avinox, DJI Enterprise.
(3) All DJI products that are within the official DJI security maintenance lifecycle.
You understand and agree: DJI does not accept vulnerability submissions for products or services that are no longer sold or have been officially declared as unsupported. DJI also does not accept vulnerability submissions related to third-party products or services.
1.7 Vulnerability Severity Evaluation Criteria
When evaluating the severity of a submitted vulnerability, DJI will primarily consider the following factors:
(1) The sensitivity and volume of potentially exposed data;
(2) The ease of exploitation;
(3) The likelihood and overall risk of causing harm to DJI users;
(4) The scope of impact on DJI products or servers.
You understand and agree that the following factors will not be considered in DJI’s severity evaluation:
(1) The amount of time you spent discovering the vulnerability;
(2) Any costs incurred from purchasing DJI products to aid vulnerability discovery;
(3) Vulnerabilities already known to DJI;
(4) Other factors that cannot clearly demonstrate the impact or severity of the vulnerability.
1.8 Vulnerability Rating Criteria and Rewards
DJI will issue a bounty to vulnerability reporters who meet the following conditions to express our gratitude to the vulnerability reporter:
(1) The first reporter of the vulnerability.
(2) The DJI security team determines that the vulnerability does exist and can have a real security impact on the DJI environment.
(3) The vulnerability reporter accepts and abides by all terms.
The vulnerability rating will refer to the following standards: WEB System Vulnerability Rating Criteria & Device and Application Vulnerability Rating Criteria
1.9 Personal Information Requirements
You understand and agree that, when necessary, DJI has the right to request the following personal information (among other details). Failure to provide the required information may result in DJI being unable to process or issue any applicable bounty payments:
(1) Full name, as stated on your valid government-issued identification, such as national ID card, passport, or other recognized official documents.
(2) Identification number, corresponding to your valid ID document.
(3) Mobile phone number, currently in use and registered under your name.
(4) Mailing address, including your permanent residence or valid correspondence address.
1.10 Vulnerability Disclosure Requirements
You must comply with the following disclosure requirements regarding any reported vulnerabilities:
(1) You may not disclose any details of the vulnerability to others without DJI’s prior written permission.
(2) Even after obtaining DJI’s permission, you must not disclose any user data, personal information, DJI server addresses, or any information that may harm the legitimate rights and interests of DJI or its users during the disclosure process.
(3) You must accurately and objectively describe the impact of the vulnerability. Any behavior involving exaggeration, incitement of users, or intentional creation of public panic will be subject to accountability.
(4) Any unauthorized access to, download of, or dissemination of DJI source code or data may constitute a legal violation, and DJI reserves the right to pursue legal action.
1.11 Accuracy of Personal Information
All personal information you provide while participating in this Program must be complete, accurate, and valid. DJI only conducts a formal, document-based review of the submitted information and does not have the ability to verify or authenticate the accuracy of such personal information. You acknowledge that any adverse consequences arising from the submission of false or incomplete information shall be borne solely by you.
II. Reporter Code of Conduct
2.1 Prohibited Conduct
While participating in this Program, you shall not engage in any of the following behaviors, including but not limited to:
(1) Fabricating facts or concealing the truth to mislead or deceive others.
(2) Posting, transmitting, or distributing advertisements or spam.
(3) Using the pretense of testing to exploit vulnerabilities for harmful purposes or to infringe upon users’ rights and interests, including but not limited to stealing user information, privacy data, or virtual assets.
(4) Exploiting vulnerabilities to attack DJI systems, causing system crashes or service outages.
(5) Conducting testing that disregards public safety and seriously affects flight safety or the safety of public airspace.
(6) Using vulnerabilities to threaten, extort, or maliciously exaggerate their impact in ways that incite public panic.
(7) Engaging in harmful or uncontrollable security testing activities.
(8) Irresponsibly disclosing vulnerabilities or maliciously spreading vulnerability information.
(9) Failing to properly safeguard data obtained during testing, resulting in damages to DJI.
(10) Disrupting the normal operation of DJI products or services, infringing upon user privacy or data security, or threatening network security.
(11) Engaging in any other conduct that violates laws, regulations, public order, or social ethics.
2.2 Restrictions Without Prior Authorization
Unless permitted by law or with prior written consent from DJI, you shall not:
(1) Remove any copyright notices on the DSRC website.
(2) Reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code of the Program.
(3) Use, lease, lend, copy, modify, link to, reproduce, compile, publish, distribute, or create mirror sites or derivative works based on content owned by DJI that is protected by intellectual property rights.
(4) Copy, modify, add, delete, or hook into the data necessary for the operation of the Program, or create any derivative works based on such data—including but not limited to using plug-ins, add-ons, or unauthorized third-party tools/services.
(5) Modify or forge instructions or data during the operation of the Program to alter software functionality or effects, or operate or publicly distribute software or methods designed for such purposes, regardless of commercial intent.
(6) Interfere with components, modules, or data of the Program directly, through authorization to others, or by means of third-party software.
(7) Download DJI source code or data during the vulnerability testing process.
(8) Engage in any other behavior that violates applicable laws and regulations, infringes upon the legal rights of others, disrupts product operations, or breaches this Agreement or related DJI rules without explicit authorization or permission from DJI.
You understand and agree: If you violate any of the above provisions, this Agreement, or applicable laws or policies, DJI has the right to terminate your participation in the Program without your prior consent. DJI shall not be liable for any loss or consequences you may suffer due to such termination.
2.3 You agree to conduct vulnerability discovery and reporting for research and testing purposes only, and to submit vulnerabilities in good faith. You affirm that the vulnerabilities you submit were discovered using your own knowledge and technical skills through legitimate and lawful means, and that you have lawful ownership or authorization for any information included in your submission.
2.4 During testing, you shall not illegally access DJI networks, interfere with the normal functionality of DJI products or services, or steal user data. You shall not provide software, tools, or technical assistance to others for such activities.
2.5 You fully understand and agree that certain features of the Program may publicly disclose some of your information to external organizations or individuals—for example, your nickname or ranking on the DSRC platform. You acknowledge that such disclosures may carry potential risks and you agree to bear those risks yourself.
2.6 You fully understand and agree that DJI may use information related to your participation in the Program and, through third-party services, may display relevant data to you or other users. For security purposes, DJI may also collect and use behavioral data from your activity on the DSRC platform.
2.7 If your breach of this Agreement causes harm or leads to claims from third parties, you agree to assume full responsibility and indemnify DJI from any resulting liabilities.
2.8 When using products or services provided by third parties in connection with this Program, you agree to comply with the third-party terms of service in addition to this Agreement. DJI and the third party shall each bear their respective responsibilities for any disputes that arise, within the limits of applicable law and mutual agreements.
III. DJI’s Rights and Obligations
3.1 DJI reserves the right to investigate and verify any vulnerability information and personal information you submit. Upon completion of the investigation, DJI may send the results to your account or contact device. However, such investigation and review by DJI shall not relieve you of your responsibility to ensure the completeness, accuracy, and legality of the information you provide. You shall bear full responsibility and consequences for any noncompliance. If DJI has any doubts regarding the completeness, accuracy, or legality of your submitted information, DJI has the right to notify you to provide clarification or correction. DJI also reserves the right to take action such as terminating your participation in the Program or freezing your account without prior notice.
3.2 If DJI discovers or receives a report from a third party indicating that you have violated this Agreement or any applicable laws, regulations, or policies, DJI has the right to verify the situation with you, restrict your activities, issue warnings, or terminate your participation in the Program.
3.3 DJI respects your personal information and will take necessary and reasonable measures to protect it. Unless required for processing, evaluating, and handling your submitted vulnerabilities, or mandated by law, governmental authority, or with your consent, DJI will not disclose or share your personal information, as specified in Section 1.9 of this Agreement, to any third party without your approval.
3.4 DJI reserves the right to display various types of information to you, including but not limited to news updates, promotional content and announcements.
IV. Intellectual Property
As a condition of participating in this Program, you hereby grant DJI, its affiliates, and its customers a perpetual, irrevocable, worldwide, transferable, and sublicensable license to use, sell, copy, adapt, modify, publish, distribute, publicly perform, create derivative works from, and otherwise exploit any vulnerability you submit to DJI.
V. Confidentiality
5.1 Definition of Confidential Information
"Confidential Information” under this Agreement refers to any information related to vulnerabilities that you acquire, any DJI user information, or any proprietary DJI information. This includes but is not limited to the vulnerability submissions you provide, DJI SSL certificates and keys, DJI source code or other proprietary programming instructions, user identity information and flight records, and any vulnerability-related information disclosed before it becomes public, regardless of whether such information has commercial value or is subject to protective measures.
5.2 Confidentiality Obligations
You shall maintain strict confidentiality of all Confidential Information both during the term of this Agreement and after its termination. You agree to use the Confidential Information solely for the purposes of this Agreement and not for any other purposes. Without DJI’s prior written authorization, you shall not use, disclose, transfer, license, share, or otherwise allow any third party to access such Confidential Information in any form.
5.3 Confidentiality of Vulnerability Submissions
All information related to vulnerabilities you submit to DJI shall be treated as strictly confidential. For the purpose of system security, you shall not disclose to any third party any details regarding vulnerabilities—including but not limited to vulnerability names, classifications, affected modules, root causes, exploitation methods, PoCs, or disassembly code—without DJI’s prior written consent and review. Unless otherwise publicly disclosed by DJI or required by law, no discussion of the vulnerability is permitted before DJI confirms it has been fixed. After the vulnerability is fixed, you may participate in discussions only with DJI’s approval and not earlier than 30 days after the fix.
VI. Third-Party Software or Technology
This Program may incorporate third-party software or technology. DJI will disclose related licenses, agreements, or documentation in accordance with relevant laws or agreements, which may appear as attachments to this Agreement or be bundled in a designated folder in the software package. These may be titled “Software License Agreement,” “Authorization Agreement,” “Open Source License,” or similar terms.
Such documents form an integral part of this Agreement and shall have equal legal force. You are required to comply with the terms of these third-party agreements. Failure to do so may subject you to legal action, fines, or sanctions by third parties or government agencies, and DJI may be requested to cooperate. You agree to bear any resulting legal responsibilities independently.
VII. Modification, Suspension, or Termination of the Program
You understand and agree that DJI has the right to independently adjust its operational strategies and may, at any time and without prior notice, modify, suspend, or terminate the Program. In the event of termination, DJI reserves the right to retain or delete any information related to your account or data stored on DJI’s servers (including data not yet finalized prior to termination) without liability.
VIII. Disclaimers
8.1 Data Security
DJI will endeavor to protect your data security during your participation in the Program but does not guarantee absolute safety. Specifically:
(1) DJI is not responsible for deletion or storage failures of any data related to the Program.
(2) DJI reserves the right to set limits on the maximum storage duration and data capacity within its servers. You are responsible for backing up any data as needed.
(3) If you withdraw from the Program, DJI may permanently delete your data from its servers and is under no obligation to return any data to you.
8.2 Service Interruptions
You understand and agree that DJI may perform maintenance, updates, or inspections on its infrastructure periodically or from time to time. These operations may temporarily interrupt or suspend the Program’s functionality for a reasonable period.
8.3 Limitation of Liability
You acknowledge that the Program is provided based on the current level of technology and infrastructure. DJI cannot guarantee the Program is flawless and may not be able to prevent or foresee all legal, technical, or other risks, including but not limited to force majeure events, viruses, malware, hacking, system instability, flaws in third-party services, or government actions. These may cause interruptions, data loss, or other consequences. Such risks shall not be deemed DJI’s breach of contract, and DJI assumes no liability.
8.4 User-side Risks
You agree that you shall bear full responsibility for any losses resulting from the following:
(1) Malware, viruses, or hacking affecting your devices, software, or communications infrastructure;
(2) Improper user operations;
(3) Participating in the Program via unauthorized means;
(4) Other circumstances beyond DJI’s reasonable control or foreseeability.
IX. Breach of Agreement
If you breach any term of this Agreement, DJI reserves the right to revoke any bounties paid, remove your name from the DJI Security Contributors List, disqualify you from future participation in the Program, unilaterally terminate this Agreement, and demand full compensation for any losses incurred by DJI.
X. Miscellaneous
10.1 DJI may update the DSRC website or alter features without prior notice. Upon release of new versions, older versions may become unusable. DJI makes no guarantees regarding the continued availability of older versions. You are responsible for ensuring that you are using the latest version.
10.2 This Agreement shall be governed by and construed under the laws of the State of California without regard to conflict of law principles. Any disputes between you and DJI shall first be resolved through friendly negotiation. If negotiation fails, you agree that the disputes will be referred to and finally determined by arbitration administered by JAMS in accordance with its applicable rules. The tribunal will consist of one arbitrator. The place of arbitration will be San Jose, CA. The language to be used in the arbitral proceedings will be English.
10.3 If you have objections or concerns regarding the vulnerability processing workflow, severity classification, or any part of the Program, you may contact DJI by sending an email to bugbounty@dji.com with the subject line “[DJI Vulnerability Processing Objection].”
10.4 If any clause in this Agreement is found to be invalid or unenforceable for any reason, the remaining clauses shall remain valid and binding on both parties.
DJI
2025.7.15