Ah, yes, missed that. My point about the agreement stands though. The email on page 11 appears to state that they owe him $30,000, if he just provides some demographic info. They then send him a contract weeks later, and use the phrase "formalizing the terms ... [of] the reward payment" in order to try to make it look like this is all part of the process. But this the start of a new negotiation.
Edit: I'm getting downvotes on my comment above, and maybe it's because I missed the part where he said he consulted a lawyer, but I have a suspicion that it's because I suggested the threat of a lawsuit. I know we live (in the US) in a overly litigious society, but my point is that the company is (perhaps through disorganization or communication problems) trying to alter the terms of an existing agreement. This is what contract and tort law is for. Sometimes the threat of getting the courts involved can cause the other side to see more clearly what is going on.
Wherein they completely reneg on paying out the $30000 as previously promised.
Leaving the researcher with a pile of security research that is ostensibly worth at least $30000 to somebody, no contractual obligations to anybody, and a possible "unclean hands" defense to any action DJI may subsequently bring against him.
If I were employed by any intelligence TLA or drone/UAV manufacturer, I'd already be at their door with warm smile and a briefcase full of cash.
Meh. The only entity this is worth USD 30k to is DJI, really. The issues found were an exposure of personal information on their servers, not s backdoor into the drone firmware or anything exciting like that, it seems. So no TLA employees with briefcases of money ;( I guess criminals looking for identity theft targets might have found it useful, too?
If you have access into their AWS, it's possible that you could either download the source yourself to find a backdoor (it was unclear if he had that access) or if none exists, upload one yourself.
Edit: I'm getting downvotes on my comment above, and maybe it's because I missed the part where he said he consulted a lawyer, but I have a suspicion that it's because I suggested the threat of a lawsuit. I know we live (in the US) in a overly litigious society, but my point is that the company is (perhaps through disorganization or communication problems) trying to alter the terms of an existing agreement. This is what contract and tort law is for. Sometimes the threat of getting the courts involved can cause the other side to see more clearly what is going on.