DJI is paying security researcher Sammy Azdoufal $30,000 after he accidentally uncovered a massive security vulnerability while trying to control his robot vacuum with a PlayStation controller. The flaw exposed a network of 7,000 DJI Romo robot vacuums, potentially allowing remote access to cameras in users' homes. The bounty payment marks a significant shift for DJI, which faced criticism for its handling of security researchers in the past, and brings closure to a Valentine's Day discovery that made global headlines.
DJI just made good on a promise the security research community wasn't sure it would keep. The drone and robotics giant is paying Sammy Azdoufal $30,000 for accidentally discovering a network security flaw that exposed thousands of robot vacuums to potential hijacking.
Azdoufal wasn't hunting for bugs when he made the discovery. He was simply trying to steer his DJI Romo robot vacuum with a PlayStation gamepad, tinkering with the device like any curious tech enthusiast might. What he found instead was an unsecured network of roughly 7,000 remote-control DJI robots, all potentially accessible to anyone who knew where to look. The robots' cameras could theoretically be accessed, creating a significant privacy risk for thousands of households.
The story broke on Valentine's Day when The Verge published Azdoufal's findings, and it quickly made headlines worldwide. But the initial report left two critical questions unanswered: Would DJI pay Azdoufal for his discovery? And how quickly would the company patch the vulnerabilities?
The $30,000 payment addresses the first concern. For DJI, it's more than just compensation - it's a statement. The company has a complicated history with security researchers, particularly after its treatment of Kevin Finisterre in 2017. Finisterre discovered vulnerabilities in DJI's systems and attempted to work with the company through its bug bounty program, but the relationship soured amid disputes over disclosure. The incident left a stain on DJI's reputation in the security community.
This time appears different. According to The Verge's latest reporting, DJI had already begun addressing some related vulnerabilities before Azdoufal demonstrated the full scope of what he could access. The company's willingness to pay the bounty and work with the researcher suggests lessons learned from past missteps.
The technical details of the vulnerability highlight how consumer IoT devices can create unexpected security risks. Robot vacuums are increasingly connected devices, equipped with cameras and sensors to navigate homes efficiently. But that connectivity creates potential attack surfaces. When thousands of devices share a network architecture without proper security controls, one curious researcher with a PlayStation controller can stumble into access that shouldn't exist.
For the consumer tech industry, the incident underscores ongoing challenges with IoT security. Robot vacuums from multiple manufacturers have faced security scrutiny in recent years. The devices need internet connectivity for features like remote control and scheduling, but implementing that connectivity securely requires careful architecture. DJI's Romo line entered a crowded market with established players like iRobot and Roborock, and security vulnerabilities can quickly undermine consumer confidence.
The $30,000 payout falls within typical bug bounty ranges for vulnerabilities of this severity. Companies generally pay more for flaws that could enable remote code execution or widespread data breaches. A vulnerability exposing 7,000 devices with cameras fits that threshold, though bounties can range from a few hundred dollars to six figures depending on the company and the severity.
DJI's consumer robotics push represents a strategic expansion beyond its core drone business. The company dominates the consumer and commercial drone market but faces regulatory pressure, particularly in the United States. Diversifying into home robotics makes business sense, but products like robot vacuums require different security considerations than drones. A compromised drone is concerning; a compromised device with a camera inside someone's home is a privacy nightmare.
The security research community will be watching how DJI handles patches and disclosure. Bug bounty programs only work when researchers trust companies to act responsibly with vulnerability reports. Quick patches, fair compensation, and respectful treatment of researchers build that trust. Public disputes and delayed fixes destroy it.
The $30,000 payment to Sammy Azdoufal represents more than compensation for a bug discovery - it's DJI's attempt to rebuild trust with the security research community after past controversies. As the company expands beyond drones into home robotics, getting security right isn't optional. Robot vacuums with cameras operate in the most private spaces of people's homes, and vulnerabilities that expose thousands of devices can't be tolerated. Whether this case represents a genuine shift in DJI's approach or simply good PR management will depend on how the company handles the next researcher who finds a flaw. For now, Azdoufal got paid, the vulnerability is being patched, and one man's PlayStation gamepad experiment became a $30,000 payday.
