Remember that wild story from Valentine’s Day about someone discovering they could access thousands of DJI robot vacuums and peek into people’s homes? Yeah, that happened. And now we’re finally getting some answers about what went down after that security researcher, Sammy Azdoufal, exposed the whole mess.

Here’s the deal: Azdoufal was just trying to connect his DJI Romo robovac to a PlayStation gamepad when he stumbled onto something absolutely bonkers. He realized he could access an entire network of 7,000 remote-controlled DJI robots without breaking a sweat. This wasn’t some elaborate hacking scheme, it was basically a security nightmare waiting to happen.

DJI is now paying Azdoufal $30,000 for his discovery, though the company won’t specify exactly which vulnerability they’re rewarding him for. In a statement to The Verge, DJI spokesperson Daisy Kong confirmed they’ve already fixed the vulnerability that let someone view a Romo’s video stream without needing a security PIN, they addressed it by late February.

But here’s where things get messy. There wasn’t just one security issue. Azdoufal found multiple vulnerabilities, and DJI is still working on patching them all. The company says it’s “upgrading the entire system” and expects everything to be fixed within a month. That timeline matters because DJI tried to claim in a blog post that they’d already “fully resolved the issue,” which isn’t exactly the full picture.

What’s also kind of wild is that DJI claims they originally discovered the problem themselves, but then credits “two independent security researchers” for finding the same thing. It’s a bit of a head-scratcher when you read between the lines.

The whole situation raises some legitimate questions about security certifications too. DJI bragged that the Romo has ETSI, EU, and UL security certifications, but one person with some basic hacking tools could access thousands of these things. That doesn’t exactly inspire confidence in how meaningful those certifications are.

On the bright side, DJI says they’re committed to working with the security research community going forward and will roll out new ways for researchers to partner with them. They’re also planning independent third-party security audits for the Romo and its app.

So yeah, Azdoufal gets paid for responsibly disclosing what he found, DJI gets to patch their mess, and hopefully robot vacuum owners can stop worrying about strangers watching their homes. It’s not a perfect outcome, but it beats the alternative.