DJI Rewards User $30,000 After Discovering Vulnerabilities in Romo Robot Vacuums

• March 7, 2026

DJI has awarded a $30,000 bounty to a user who accidentally discovered a significant security weakness affecting thousands of its Romo robotic vacuum cleaners. The vulnerability allowed unauthorized remote access to approximately 7,000 devices, raising privacy and cybersecurity concerns among users of the connected home appliance.

The issue came to light in February when the owner of a Romo vacuum sought to control the device using a Sony PlayStation game controller. During this attempt, the user inadvertently accessed a broad network of Romo vacuums remotely. This unexpected access revealed the possibility to manipulate and monitor the devices from afar, potentially compromising the privacy of household environments where these vacuums were in operation.

Security Vulnerabilities in Connected Home Devices

The nature of the discovered vulnerability highlights the risks associated with internet-enabled appliances. The Romo vacuum cleaners, designed to be controlled remotely, were found to have insufficient safeguards preventing unauthorized users from gaining control over multiple units. Such flaws could be exploited for unauthorized surveillance or malicious activities.

Upon being notified, DJI undertook steps to address the security gaps and acknowledged the significance of the discovery by providing a financial reward to the individual responsible. This reflects a growing trend among technology companies to incentivize responsible reporting of security flaws through bug bounty programs.

The incident underscores the importance of robust cybersecurity measures for devices integrating the Internet of Things (IoT) technology. As homes increasingly adopt smart appliances, the challenge remains to ensure these connected devices do not become entry points for cyber threats.

Details regarding the specific technical vulnerabilities have not been publicly disclosed. Similarly, DJI has not shared a precise timeline for firmware updates or further security enhancements to prevent future exploits of Romo vacuums.

This case serves as a reminder of the dual-use nature of IoT devices, where convenience may be juxtaposed with potential privacy and security risks. It also demonstrates the value of proactive user engagement in identifying and reporting product weaknesses.

Consumers relying on smart robotic vacuums and similar home automation devices are advised to stay updated on software patches and firmware releases from manufacturers. Vigilance and prompt response to security notifications remain essential for safeguarding private environments.

DJI paid $30,000 to a user who uncovered a network of 7,000 Romo vacuums vulnerable to remote control and spying risks.