Security and Continuous Improvement: ROMO’s Path Forward

Technology is not static; it is constantly evolving, and security must evolve with it. For nearly a decade, we have invested heavily in strengthening the security of our products and providing a wide range of privacy controls for our customers. We have a dedicated product security team that regularly reviews our systems and implements improvements across our products, and their efforts are supported by our longstanding Bug Bounty Program which encourages security researchers around the world to responsibly identify and report potential vulnerabilities.

In late January, as part of routine internal security reviews, DJI identified a backend validation issue involving the DJI Home app that affected our new ROMO product and some DJI power stations. Two independent security researchers subsequently reported the same vulnerability through our bug bounty program, and their inputs supported the ongoing remediation process, which has since concluded. Updates have been deployed to fully resolve the issue, and no user action is required. Our investigation indicates that the observed activity was primarily related to security researchers’ testing, and we did not identify evidence that user data was misused.

Our customers place trust in our technology, and we do not take that lightly. We want to take this opportunity to reiterate to our user community that we will continue to invest in the strengthening of our products’ security across our existing programs:

• Our security approach will continue to align - and build on - existing industry standards. This includes, but is not limited to, conducting regular internal architecture and code reviews, constantly updating our information security incident emergency response plan, conducting end-to-end penetration testing of products, following coordinated disclosure practices and deploying automatic patches as appropriate.
• Security researchers will continue to play an important role in our security framework. Since launching our bug bounty program nearly a decade ago, more than 300 security researchers have submitted reports regarding potential vulnerabilities across DJI platforms. Each report is carefully reviewed and, where necessary, addressed as part of our ongoing efforts to strengthen the security of our products. We are committed to deepening our engagement with the security research community, and we will soon introduce new ways for researchers to partner and collaborate with us.
• We will continue to submit our products for independent product security audits and certifications. ROMO represents a brand new product category for DJI. To-date it is already certified to the ETSI EN 303 645 standard, EU RED (EN 18031) requirements, and the UL Solutions Diamond IoT Security. As we have done with our drone products for many years, we will also submit ROMO and the DJI Home app to independent third-party security audits and additional certifications to further strengthen their security.

We encourage our user community to stay up to date on our security initiatives by visiting our Trust Center. Security is a never-ending process, and we will continue to share developments along the way.