DJI Bug Bounty Program Guidelines
Welcome to the DJI Bug Bounty Program, the purpose of this Program is to enhance the information security of DJI products and services. DJI places great importance on information security and fully recognizes the value that security researchers and the broader security community bring in helping improve DJI’s security capabilities. DJI encourages security researchers to report any security vulnerabilities found in DJI products or services. For validated and confirmed vulnerabilities, DJI will provide appropriate acknowledgment and rewards based on the quality of the findings.
I. Bug Bounty Process
After accessing the DSRC platform at https://security.dji.com you may submit vulnerability reports related to DJI products and services in accordance with the provided guidelines. DJI will evaluate your submission, and if it is confirmed as a valid security vulnerability, DJI will award a bounty of at least CNY 350 per vulnerability. Applicable personal income tax (if any) will be deducted from the bounty before payment.
Vulnerability Report Requirements
Submissions that meet the requirements and are of high quality will help expedite DJI’s vulnerability assessment process and the issuance of rewards. A high-quality report should include:
1. A detailed description of the vulnerability, including:
a) Step-by-step instructions to reproduce the issue.
b) A non-destructive proof of concept (PoC), such as executing a harmless command like "hello world"in the case of an RCE vulnerability.
2. Detailed information about the testing environment, including:
a) The affected URL, application, code snippet, etc.
b) For application/device-related vulnerabilities, the model number, firmware version, or any other relevant information.
c) Please retain and submit any relevant data from your testing process as part of your report attachments.
Please note that the absence of the above information may hinder DJI’s ability to properly assess the vulnerability, which may in turn affect response timelines and bounty decisions.
Scope of Valid Vulnerability Reports
(1)Domains: dji.com, dji.net, djicdn.com, djivideos.com, djiservice.org, djiag.com, skypixel.com, robomaster.com, djiits.com.
(2)Applications: DJI Fly, DJI Mimo, DJI Ronin, LightCut, DJI Pilot, DJI SmartFarm, Avinox, DJI Enterprise.
(3)Devices: Any DJI product currently under official security maintenance.
Please note that DJI does not accept vulnerability reports for products or services that have been discontinued or officially announced as unsupported. DJI also does not accept vulnerability reports related to third-party products or services.
Vulnerability Severity Evaluation Criteria
When evaluating the severity of a submitted vulnerability, DJI will primarily consider the following factors:
(1) The sensitivity and volume of potentially exposed data.
(2) The ease of exploitation.
(3) The likelihood and overall risk of causing harm to DJI users.
(4) The scope of impact on DJI products or servers.
Please note that the following factors will not be considered in DJI’s severity evaluation:
(1) The amount of time you spent discovering the vulnerability.
(2) Any costs incurred from purchasing DJI products to aid vulnerability discovery.
(3) Vulnerabilities already known to DJI.
(4) Other factors that cannot clearly demonstrate the impact or severity of the vulnerability.
II. Vulnerability Rating Criteria and Rewards
DJI will issue a bounty to vulnerability reporters who meet the following conditions to express our gratitude to the vulnerability reporter:
(1) The first reporter of the vulnerability.
(2) The DJI security team determines that the vulnerability does exist and can have a real security impact on the DJI environment.
(3) The vulnerability reporter accepts and abides by all terms.
The vulnerability rating will refer to the following standards: WEB System Vulnerability Rating Criteria & Device and Application Vulnerability Rating Criteria
For security intelligence that is evaluated as valid, a base reward of CNY 500 will be granted. If the intelligence reveals significant threat activities, attacker group operations, or high-risk data leaks, additional rewards may be issued depending on severity — with no upper limit.
III. Vulnerability Remediation
Critical, high, and medium severity vulnerabilities will be remediated within 90 working days, while low severity vulnerabilities will be addressed within 180 working days. The actual remediation timeline may be affected by environmental or hardware constraints and will be determined based on specific circumstances.
IV. Vulnerability Disclosure Requirements
You must comply with the following rules when disclosing any vulnerabilities:
(1) Do not disclose any details about the vulnerability to any third party without prior permission from DJI.
(2) After obtaining DJI’s permission, you must not disclose user data, user privacy, or DJI server addresses, or any other information that may harm the legitimate rights and interests of DJI or its users.
(3) You must accurately and objectively describe the impact of the vulnerability. Any exaggeration, user incitement, or intentional creation of public panic may result in liability.
(4) Any unauthorized access to, download, or dissemination of DJI source code or data may constitute a legal violation, and DJI reserves the right to pursue legal action.
To evaluate your disclosure request, please download and complete Vulnerability Disclosure Request, and send it together with the full content and related materials intended for public disclosure to bugbounty@dji.com. Upon receiving the complete materials, we will initiate the review process. Upon approval, DJI will issue a written authorization for public disclosure.
Vulnerability Disclosure Request: Vulnerability Disclosure Request