A high-school student from Uruguay has been rewarded with $10,000 (roughly Rs. 6.5 lakh) after he discovered and reported a vulnerability to Google.
The student, Ezequiel Pereira, says he chanced upon the vulnerability after a bout of boredom last month when he was poking around Google services using Burp Suite, a popular Web security testing tool.
After a few failed attempts, Pereira says he came across yaqs.googleplex.com, an internal webpage which didn't have username or password check in place. Googleplex.com hosts several Google App Engine apps.
"The website's homepage redirected me to "/eng", and that page was pretty interesting, it had many links to different sections about Google services and infrastructure, but before I visited any section, I read something in the footer: "Google Confidential".
"At that point I stopped poking at the website and reported the issue right away, without even thinking of a better way to show the vulnerability than with Burp," Pereira wrote.
Sharing screenshots of the email exchanges, Pereira said he received multiple response from Google's security team the same day, who confirmed that the bug he had reported was indeed effective.
With little to no hope of any rewards, Pereira says he was surprised when a month later Google team informed him that he would be paid $10,000 for his work, and that he could share the nature of the vulnerability with the world.
Google has since resolved the vulnerability. "The bug has been fixed now, and, according to Google, the large reward was because they found a few variants that would have allowed an attacker access sensitive data," Pereira wrote.
The transparency and willing to reward independent security researchers is one of the things several Silicon Valley companies have been working on. Google, Microsoft and Apple are increasingly offering bug bounty reward programs where they encourage people to report any security or privacy flaws they spot in any of their services.