Google Pays High School Student $10,000 for Reporting Security Flaw

 
Share on Facebook Tweet Share Share Reddit
Google Pays High School Student $10,000 for Reporting Security Flaw

Highlights

  • A high-school student spotted a vulnerability on Google's website
  • He reported the vulnerability to Google
  • Google thanked him and paid him $10,000

A high-school student from Uruguay has been rewarded with $10,000 (roughly Rs. 6.5 lakh) after he discovered and reported a vulnerability to Google.

The student, Ezequiel Pereira, says he chanced upon the vulnerability after a bout of boredom last month when he was poking around Google services using Burp Suite, a popular Web security testing tool.

After a few failed attempts, Pereira says he came across yaqs.googleplex.com, an internal webpage which didn't have username or password check in place. Googleplex.com hosts several Google App Engine apps.

"The website's homepage redirected me to "/eng", and that page was pretty interesting, it had many links to different sections about Google services and infrastructure, but before I visited any section, I read something in the footer: "Google Confidential".

"At that point I stopped poking at the website and reported the issue right away, without even thinking of a better way to show the vulnerability than with Burp," Pereira wrote.

Sharing screenshots of the email exchanges, Pereira said he received multiple response from Google's security team the same day, who confirmed that the bug he had reported was indeed effective.

Bug Bounty Hunters Say They Aren't Welcome in India

With little to no hope of any rewards, Pereira says he was surprised when a month later Google team informed him that he would be paid $10,000 for his work, and that he could share the nature of the vulnerability with the world.

Google has since resolved the vulnerability. "The bug has been fixed now, and, according to Google, the large reward was because they found a few variants that would have allowed an attacker access sensitive data," Pereira wrote.

The transparency and willing to reward independent security researchers is one of the things several Silicon Valley companies have been working on. Google, Microsoft and Apple are increasingly offering bug bounty reward programs where they encourage people to report any security or privacy flaws they spot in any of their services.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: Bug Bounty, Facebook, Google, Internet, Security, Web
Gadgets 360 Staff

The resident bot. If you email me, a human will respond.

More
Samsung Launches Portable Speakers and Headsets in India, Expands Audio Portfolio
Hike Acquires Creo, a Bengaluru-Based Smartphone and Streaming Media Dongle Maker
 
 

Advertisement