On Valentine’s Day, a captivating story emerged, capturing global headlines: a man, while experimenting with a PlayStation gamepad to control his DJI robot vacuum, stumbled upon an astonishing network of 7,000 remote-controlled DJI robots. This discovery inadvertently granted him the ability to glimpse into the private spaces of others.

Importantly, DJI had already begun tackling some of the associated vulnerabilities before the man, Sammy Azdoufal, unveiled to The Verge the extent of access he had uncovered. However, uncertainty loomed regarding whether DJI would compensate him for his findings, especially given their past treatment of security researcher Kevin Finisterre in 2017. Moreover, questions persisted about how swiftly DJI could fully rectify the additional vulnerabilities identified by Azdoufal.

Today, we have some clarity on these matters.

DJI has agreed to reward Azdoufal with $30,000 for one of his discoveries, as revealed in an email he shared with The Verge. Although the specific discovery being compensated was not disclosed, DJI acknowledged rewarding an anonymous security researcher for their efforts.

While DJI has not pinpointed which of Azdoufal’s discoveries is being acknowledged financially, they confirmed that a significant vulnerability allowing unauthorized access to a DJI Romo video stream without a security pin has been addressed. “We can confirm that the PIN code security observation was addressed by late February,” stated Daisy Kong, a spokesperson for DJI.

Curious about the particularly severe vulnerability we initially withheld describing? DJI assures us that efforts are underway to address it as well. “We have also started upgrading the entire system. This includes a series of updates, which we anticipate will be fully implemented within one month,” DJI communicated.

DJI has also published a public blog post today about strengthening the DJI Romo’s security, one where it continues to claim that it discovered the original issue itself, while also crediting “two independent security researchers” for finding the same problem.

There, DJI seems to be suggesting that everything’s already resolved with the Romo: “Updates have been deployed to fully resolve the issue.” But again, there wasn’t just one vulnerability, and DJI told The Verge that it could take as long as another month.

In the blog post, DJI also says that the Romo already has ETSI, EU, and UL certifications for security — which may raise questions about how useful those certifications really are if one guy with Claude Code could access an entire network full of robovacs! — and that it will continue to test, patch, and submit the Romo and its app to independent third-party security audits.

DJI writes that it is “committed to deepening our engagement with the security research community, and we will soon introduce new ways for researchers to partner and collaborate with us.”