The DJI Bug Bounty Program (the “Program”) and DJI Security Response Center encourage security researchers to contribute to our ongoing efforts in strengthening our data security by responsibly detecting potential vulnerabilities.
By participating in this Program and submitting a vulnerability report to the DJI Security Response Center, you acknowledge that you have read, understood, and agree to be bound by the following terms and conditions:
In principle, all products and services provided by DJI are intended to be in scope. This includes virtually all the contents in the following domains (Last update: 2017-12-25).
The following products, services, and vulnerabilities are outside the scope of the Program:
To be eligible for this Program, you are required to observe the following requirements:
If you are eligible under this Program, DJI may grant to you a monetary reward, determined by DJI at its sole discretion, based on the risk and impact of the reported vulnerability. Rewards will be granted to the first person to discover and report the bug and help to fix such, as determined by DJI. The payment maybe made in United States dollars (USD) or other currencies which DJI deems appropriate. The range of the reward will be from $50 USD to $30,000 USD. DJI may make a partial payment when we receive your report and verify the issue, and additional payment maybe make after the vulnerability has been fixed. You will be responsible for any tax therein occurs.
For more information regarding factors in determining the bounty amounts, please refer to our Reward Amounts and Vulnerability Sensitivity page here.
The Program has also offered the options of non-monetary reward, such as DJI Security Contributors Page to recognize security researchers ‘great contribution. For further details, please refer to the table of Non-monetary Reward below.
DJI recognizes the significant contributions from security researchers, and we are happy to see that researchers are publicly recognized for their cooperative efforts. DJI may display the names of certain security researchers on DJI Wall of Security Contribution or other media, with the researchers’ prior consent. DJI has the right to remove the name of any person who is later found not eligible for this Program from the DJI Wall of Security Contribution
By participating in this program and abiding by these terms, DJI grants you limited “authorized access” to its systems under the Computer Fraud and Abuse Act in accordance with the terms of the program and will waive any claims under the Digital Millennium Copyright Act (DCMA) and other relevant laws. Furthermore, if you conduct your security research and vulnerability disclosure activities in accordance with the terms set forth in this policy, DJI will take steps to make known that your activities were conducted pursuant to and in compliance with this policy in the event of any law enforcement or civil action brought by anyone other than DJI.
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-DJI entity (e.g., third party software), that third party may independently determine whether to pursue legal action or remedies related to such activities. DJI cannot and does not authorize such security research or vulnerability disclosure activity for non-DJI entities. DJI does not authorize, permit, or otherwise allow (expressly or impliedly) any person to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with the terms of this program.
DJI understands the importance of public disclosure of unknown or novel security flaws to build a common base of knowledge within the security community and to build a safer internet. DJI is committed to disclosing such information to the fullest extent possible. However, DJI in its sole discretion will decide when and how, and to what extent of details, to disclose to the public the bugs/vulnerabilities reported by you.
If you violate any provision of these Terms, you will be automatically disqualified from this Program, including your eligibility for receiving any bounty rewards from DJI.
Any information you receive or collect through or in connection with your participation in this Program (“Confidential Information”) must be kept confidential and only used in connection with this Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Report and information you obtain during your research.
You are responsible for your Report, your breach of these Program Terms and/or your improper use of this Program. You will defend and indemnify DJI and its officers, directors, employees, consultants, affiliates, subsidiaries and agents (together, the “DJI Entities”) from and against any and all claims, liabilities, damages, losses, and expenses, including reasonable attorneys' fees and costs, arising out of or in any way connected with: (a) your Report; (b) your violation of any portion of these Terms, any representation, warranty, or agreement referenced in these Terms, or any applicable law or regulation; (c) your violation of any third-party rights, including any intellectual property right or publicity, confidentiality, other property, or privacy, right; or (d) any dispute between you and any third party; (e) your improper use of this Program. We reserve the right, at our own expense, to assume the exclusive defense and control of any matter otherwise subject to indemnification by you (without limiting your indemnification obligations with respect to that matter), and in that case, you agree to cooperate with our defense of that claim.
DJI reserves the right to modify or discontinue this Program at any time, temporarily or permanently, without notice to you. We will have no liability whatsoever on account of any change to this Program or any suspension or termination of your continued participation in the Program.
If you have any inquiries regarding the Program (except for submitting a Report), please contact us at email@example.com.
Vulnerabilities that present negligible security impact or are exploited to conduct a malicious attack against DJI will not be recognized or rewarded.Common examples may include, but are not limited to, the following:
Substantial amount generally indicates over 10,000.
Crucial user information includes direct identifiers, such as social identity card, passport, credit card, driver’s license, and compound identifiers that could potentially identify a specific individual (e.g. order information, maintenance information).
General user information includes phone number, home address, email address, fly record, etc.
V1.1, Last updated: February 12, 2018