[DBBP22-03] Double reward! 2022 DJI Security Response Center 5th Anniversary Celebration starts NOW!

As a world leader in the field of drones, DJI has always regarded building a safe product ecosystem as the key to the company's sustainable development. Since the establishment of the Bug Bounty Programs in 2017, DJI and global security experts have cooperated to build a safer DJI. Where there is DJI, there are DJI guardians, and where there are DJI guardians, the ultimate and uncompromising DJI story can be achieved!

On the occasion of the fifth anniversary of the DJI Security Response Center (DSRC), to appreciate the DJI guards who have been fighting side by side with us, the DJI Security Response Center officially released the "5th Anniversary Celebration | DSRC Server Vulnerability Double Reward Event". All security experts are invited.

I. Effective Date

Dec 4 2022 - Jan 6 2023 (UTC+8)

II. Included Domains

The domain scope of this activity is consistent with the scope defined in the DJI Bug Bounty Program Policy. The scope of the double reward is limited to ## server bugs.

III. Rating and Reward

The title of the reports must be marked with [5th Anniversary]. if not, it will be regarded as not participating in this event.

Submitted server vulnerability reports, those who are rated as valid vulnerabilities according to the DJI Vulnerabilities Rating Guideline shall earn double rewards (as shown in the figure below); The rewards for APP and device vulnerabilities remain unchanged.

[1]Substantial amount generally indicates over 10,000.
[2]Crucial user information includes direct identifiers, such as social identity card, passport, credit card, driver’s license, shipping address.
[3]General user information includes phone number, email address, user ID, etc.

The event will observe the following report assessment guidelines
1. If chained/multiple vulnerabilities eventually lead to the same exploitation impact, the report will be awarded based on the highest-severity vulnerability
2. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
3. Detailed reports with reproducible steps are the basis for rewards. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

To honor the remarkable contributions that our researcher community has made in maintaining a secure environment for DJI users and products, those who have reported effective vulnerabilities will be displayed on the DJI Security Contributors Page on the DJI Security Response website.

IV. Bug Reporting Method

If you have any questions or suggestions, please contact us via bugbounty@dji.com. Happy hunting!

The DJI Security Response Center reserves the right of final interpretation of this event.