Sounds like DJI kicked off a bounty program and didn't have their ducks in a row on setting bounty scope, legal terms, or process.
Researcher found PII leaks and keys to some pretty sensitive stuff, and DJI didn't know how to respond.
After DJI dragging it out for weeks, giving overly broad terms, and sending a poorly crafted CFAA threat (which in charitably interpreted was just to ensure he deleted any sensitive material), researcher walked away after being frustrated by the time sink.
Honestly, it looks like DJI was hoping for a 'soft launch', getting a few tame bugs and negotiating with researchers to hammer out details. (Or framed more cynically, using the researchers as unpaid advisors on how to set up a bounty program.)
Instead, they got a stack of catastrophic, maximum-severity issues right away and panicked.
After DJI dragging it out for weeks, giving overly broad terms, and sending a poorly crafted CFAA threat (which in charitably interpreted was just to ensure he deleted any sensitive material), researcher walked away after being frustrated by the time sink.