DJI Bug Bounty Program Guidelines
Welcome to the DJI Bug Bounty Program. At DJI, we are deeply committed to the security of our products and business systems. We highly value the vital role that independent security researchers and the broader cybersecurity community play in strengthening our overall security posture. We strongly encourage you to report any security vulnerabilities related to DJI products or services. For validated vulnerabilities, we offer corresponding bounty rewards and recognition, commensurate with the quality of the report and its actual security impact.
I. Vulnerability Handling Process
Researchers can submit vulnerability reports via the DSRC portal https://security.dji.com in accordance with our submission guidelines. DJI will evaluate the vulnerabilities you submit. If validated as a valid vulnerability, DJI will grant a reward of at least 350 CNY for each vulnerability, and DJI will withhold applicable personal income taxes (if any) from the bounty payout.
【Scope of Vulnerability Reports】
(1) Web Domains: dji.com, dji.net, djicdn.com, djivideos.com, djiservice.org, djiag.com, skypixel.com, robomaster.com, djiits.com, djigate.com, djienterprise.com
(2) Mobile APPs: DJI Fly, DJI Mimo, DJI Ronin, LightCut, DJI Pilot, DJI SmartFarm, DJI Enterprise, DJI Home, DJI Store
(3) Hardware Products: Any related DJI products currently within their active security maintenance lifecycle.
Please note:
(1) Server-side (backend) vulnerabilities associated with Mobile Apps, Mini-Programs are categorized and evaluated as Web assets;
(2) DJI does not accept vulnerability reports for products or services that are no longer sold or officially announced as no longer supported:
[Out-of-Scope Web Assets] edu.dji.com, gsp.dji.com
[End-of-Life (EOL) Products] EOL Product List
(3) Vulnerabilities residing in third-party components, products, or services are generally out of scope. However, they may be considered eligible ONLY IF the researcher can demonstrate a practically exploitable attack chain within DJI's specific deployment environment that results in a verifiable security impact on DJI or its users.
【Vulnerability Report Requirements】
Basic Requirements for Valid Reports
A qualified Vulnerability Report must include the following components:
1. Vulnerability Description: A clear explanation of the vulnerability type, its root cause, and the specific functional module affected.
2. Scope of Impact: Clear identification of the affected product versions, system components, and user groups.
3. Steps to Reproduce: Provide a complete, step-by-step guide to reproducing the issue, specifically including:
(1) Description of the testing environment (e.g., target business system, device model, operating system version, URL, etc.);
(2) Specific request parameters, payloads used, and any other relevant configuration settings;
(3) Explanation of the observed execution results during testing;
(4) Relevant test data, logs, or network traffic preserved and submitted as attachments.
4. Proof of Concept (PoC): Provide functional PoC code/scripts, or clear screenshots/video recordings demonstrating the actual exploitation process to confirm the vulnerability's existence.
5. Security Impact Analysis: Describe a realistic attack scenario. Explain the complete, practically exploitable attack chain, and demonstrate the actual harm the vulnerability poses to user data confidentiality, system integrity, or service availability.
Report Quality Grading
Please note: The following types of submissions will be immediately classified as Invalid and rejected without undergoing the formal triage and review process:
(1) Reports consisting solely of raw output from automated scanning tools without manual verification or contextual analysis;
(2) Reports that merely cite vulnerable software versions or CVE identifiers without demonstrating a practically exploitable attack chain in DJI's specific environment;
(3) Reports based entirely on theoretical scenarios without a functional Proof of Concept (PoC);
(4) Reports with vague descriptions lacking actionable details, making it impossible to identify or locate the specific issue.
Policy on AI-Assisted Reporting
While we acknowledge the utility of AI tools for auxiliary purposes (e.g., code auditing, drafting PoC scripts), we strictly prohibit the submission of unverified, purely AI-generated speculative analysis. Every report must demonstrate actual, hands-on validation and independent technical analysis by the researcher. Submissions identified as solely AI-generated will be immediately rejected.
Blacklist Mechanism
(1) First Offense: Submission of a purely AI-generated or blatantly invalid report will result in immediate rejection and a formal warning;
(2) Multiple Offenses (3 or more): Accumulating three or more such rejected reports will result in a 90-day suspension of your DSRC account and program privileges;
(3) Persistent Violations: Continued submission of these reports following a temporary suspension will lead to a permanent ban from the DJI Bug Bounty Program, accompanied by a public notice on the platform.
II. Vulnerability Grading and Bounty Structure
【Vulnerability Reward Requirements】
As a token of our appreciation, DJI will award bounties to researchers who strictly meet all of the following criteria:
(1) You must be the first researcher to report the specific vulnerability (i.e., not a duplicate);
(2) The DJI Security Team must be able to independently verify the report and confirm that it poses a practically exploitable security impact within DJI's specific environment;
(3) You must strictly adhere to our Non-Disclosure Agreement (NDA). Any public disclosure of vulnerability details or related confidential information is strictly prohibited unless explicitly authorized in writing by DJI in advance, and may only occur at least 30 days after the vulnerability has been fully remediated;
(4) You must fully accept and comply with all terms and conditions of the program.
Please note:
(1) Vulnerabilities already known to DJI are not eligible for a bounty;
(2) DJI retains the right of final decision regarding all bounty eligibility, severity grading, and payout amounts;
(3) The researcher is solely responsible for any applicable tax obligations arising from the receipt of bounty payments;
(4) DJI reserves the right to hold non-compliant researchers legally liable for breach of contract under the DJI Bug Bounty Program Terms. This includes, but is not limited to, the immediate revocation and mandatory refund (clawback) of any previously issued bounty rewards.
【Vulnerability Grading Factors】
(1) Exploitability: The ease of exploiting the vulnerability in a real-world scenario. This includes factors such as attack complexity, required user privileges, required user interaction, and other attack prerequisites;
(2) Scope of Impact: The specific products and services affected, the scale of the user base impacted, and the overall system coverage;
(3) Severity of Impact: The potential real-world harm to confidentiality, integrity, and availability. This includes the sensitivity and volume of data that could be compromised, as well as any actual financial or reputational damage to DJI and its users.
Please note: When grading reports, the following factors will NOT be considered by DJI:
(1) The amount of time, effort, or human resources you invested in discovering the vulnerability;
(2) Any out-of-pocket costs incurred (e.g., purchasing DJI hardware) for the purpose of your security research;
(3) Any other factors that do not directly demonstrate the objective technical severity or real-world impact of the finding.
【Vulnerability Grading Standards】
Vulnerability Rating Guidelines: 《Web System Vulnerability Rating Criteria》 《Products & App Vulnerability Rating Criteria》
For security intelligence that is evaluated as valid, a base reward of 500 CNY will be granted. If the intelligence reveals significant threat activities, attacker group operations, or high-risk data leaks, additional rewards may be issued depending on severity, with no upper limit.
Please note: The DJI Bug Bounty Program is strictly impact-driven. We prioritize and reward issues that demonstrate a tangible security impact on real-world users, data, or production systems. Vulnerabilities that exist purely in theory, or lack a demonstrable and practical attack vector, will not qualify for a bounty reward.
【Dispute Resolution Process】
If a researcher disagrees with the assigned severity grading or the final bounty amount, they may initiate a formal appeal within 7 days of receiving the assessment result. The appeal will be escalated to the DJI Security Review Committee for a comprehensive secondary evaluation. The outcome of this secondary review will be considered the final and binding decision regarding the report.
III. Vulnerability Remediation Timelines
Critical, High, and Medium severity vulnerabilities will be remediated within 90 business days, and Low severity vulnerabilities will be remediated within 180 business days. Remediation efforts may occasionally be subject to complex environmental dependencies or hardware constraints. In such exceptional cases, the actual resolution timeline will be determined and communicated on a case-by-case basis.
IV. Coordinated Vulnerability Disclosure (CVD) Policy
DJI strictly adheres to the principles of Coordinated Vulnerability Disclosure (CVD). All researchers participating in this program must strictly comply with the following disclosure requirements:
(1) Public disclosure of any vulnerability details or related confidential information is strictly prohibited without explicit prior written authorization from DJI. Even if authorized, disclosure may only occur after a mandatory embargo period of at least 30 days following the complete remediation of the vulnerability;
(2) Even after obtaining written permission for disclosure, researchers must meticulously redact any sensitive information. This includes, but is not limited to, Personally Identifiable Information (PII), user data, and specific DJI server IP addresses/URLs that could jeopardize the legitimate interests of DJI or its users;
(3) Public write-ups and descriptions of the vulnerability must remain factual and objective. Exaggerating the security impact, intentionally inciting user panic, or spreading Fear, Uncertainty, and Doubt (FUD) is strictly prohibited. DJI reserves the right to take decisive action against such malicious behaviors;
(4) The unauthorized access, downloading, or public dissemination of DJI source code, proprietary algorithms, or corporate/user data is a severe violation of the law. DJI reserves all legal rights to pursue civil or criminal action against individuals engaging in these illegal activities.
To initiate a formal disclosure request, please download and complete the Vulnerability Disclosure Application Form. Submit the completed form, along with the full draft of your proposed publication (e.g., blog post, write-up, video) and any supplementary materials, to bugbounty@dji.com. Our team will commence the review process upon receipt of all required documentation. If your request is approved, DJI will issue formal written authorization.
Vulnerability Disclosure Request Form: Vulnerability Disclosure Request Form
V. Rules of Engagement
【Authorized Conduct】
(1) Limit all security testing exclusively to the explicitly authorized assets defined in the program scope;
(2) Conduct testing using only self-created accounts or accounts you own;
(3) Halt all further exploitation immediately once a vulnerability has been verified. Do not pivot to internal networks or exfiltrate data; proceed directly to report submission;
(4) Maintain strict confidentiality regarding all vulnerability details until DJI has fully remediated the issue and you have successfully completed the Coordinated Disclosure process (as outlined in Section IV).
【Prohibited Conduct】
Engaging in any of the following activities will result in the immediate invalidation of your report and may expose you to severe legal consequences:
(1) Accessing, modifying, deleting, or exfiltrating the genuine data of actual DJI users, or interacting with any accounts that you do not explicitly own;
(2) Performing any form of Denial of Service (DoS or DDoS) attacks against DJI assets;
(3) Publicly disclosing vulnerability details or sharing them with any third party without explicit, prior written authorization from DJI;
(4) Planting backdoors, establishing persistent access (persistence), pivoting, or conducting lateral movement within DJI's internal networks;
(5) Conducting any form of social engineering, phishing, or spamming attacks against DJI employees, partners, or customers;
(6) Engaging in any other activities that violate applicable laws, regulations, or infringe upon the legitimate rights, privacy, and intellectual property of DJI and its users.