DJI bug bounty
Hi All,
Has anyone submitted bugs or bug bounty with DJI?
Just wondering how much they payout or is there a scale? Something similar like hacker one.
Hopefully DJI will see this and get in contact or maybe the USA government would like to buy the keys from me so they can control the drones 😉 I’ll accept 1 million pounds.
What was found
• Two RSA private keys embedded in plaintext inside the DJI Pilot 2 app (v10.1.8.18)
• Both are complete, functional 2048-bit cryptographic keys
• The app is publicly downloadable by anyone, worldwide
Impact
These are not personal/user keys — they are product-level keys shared across every device running this app version globally
• Anyone who downloads the app can extract the keys in under a minute
• An attacker with the keys could impersonate a legitimate DJI controller to a drone
• Could potentially send forged commands that the aircraft accepts as genuine
• Could decrypt intercepted communications between controller and drone
• Affects the safety-critical RF link controlling aircraft in active flight