DJI rewards a researcher with $30,000 for Romo vulnerability discoveries as it expands security measures

In a Valentine’s Day moment that drew global attention, a security researcher demonstrated how a PlayStation gamepad could steer a fleet of DJI robots, revealing a network that could expose interior video streams from thousands of devices. The Verge covered the breakthrough by Sammy Azdoufal, who showed that around 7,000 remote-control DJI robots could be accessed in ways that let him peek into some households. DJI had already begun addressing several of the related flaws before the discovery surfaced publicly.

What DJI has clarified since then

• Payment for the discovery: DJI confirmed to The Verge that it has awarded $30,000 for one particular vulnerability discovery by an unnamed security researcher, though the company did not disclose the researcher’s identity or specify exactly which bug earned the payout. The company described the reward as part of ongoing recognition for security work.

• The PIN-based access issue: DJI disclosed that it has already remedied a flaw that allowed viewing a Romo video stream without requiring a PIN. A spokesperson stated that this PIN-security issue had been resolved by late February.

• A more significant vulnerability and ongoing work: DJI also indicated that it is actively upgrading the entire Romo system to address a particularly serious vulnerability that wasn’t fully described in earlier reports. The company said upgrades would be deployed over the course of about a month.

• What the company is saying about the Romo’s security: In a public blog post, DJI claimed the Romo has already had its main security issue fully resolved, though it continues to emphasize that multiple vulnerabilities were involved. The post credits “two independent security researchers” for identifying the same problem and notes that updates have been deployed. DJI also warned that some fixes may take longer and that further improvements could come up to a month later.

• Certifications and ongoing audits: DJI noted that the Romo already carries ETSI, EU, and UL security certifications, a point that raises questions about certification effectiveness when a single researcher could potentially access a broad network of devices. The company added that it will continue testing, patching, and submitting Romo and its app to independent third-party security audits.

• A more collaborative security stance: DJI emphasized its commitment to deeper engagement with the security research community and said it would soon offer new ways for researchers to partner with the company on security work.

Context and outlook

The Verge’s coverage of the initial findings highlighted a tension between recognizing security researchers and how DJI previously handled public disclosures—particularly in light of a 2017 incident involving researcher Kevin Finisterre. The current statements suggest DJI is moving toward a more formalized vulnerability-disclosure and reward program, while continuing to roll out system-wide upgrades and independent audits to bolster overall safety. As the Romo and related devices remain part of DJI’s product ecosystem, the company says it will keep updating and expanding protections, and will introduce new collaboration avenues for researchers in the near term.