Google has rewarded a high school student $10,000 after he
exposed a security flaw which hackers could have used to access sensitive data.
Uruguayan Ezequiel Pereira explained in a blog post that he
was “bored” one day “so tried to find a bug on Google”.
He said many of his attempts failed, however, one internal
webpage didn’t require a username or any other information to access.
The teenager said “it had many links to different sections
about Google services and infrastructure, but before I visited any section, I
read something in the footer: ‘Google Confidential’.”
“At that point I stopped poking at the website and reported
the issue right away,” he added.
Google’s security team replied saying they would look into
the issue and Pereira was stunned when they eventually offered him a reward.
“I thought to myself ‘Cool, this is probably a small thing
that isn't worth a dime, the website probably had some technical stuff about
Google servers and nothing really important’,” he recalled.
“I don't know what the website did contain, but some weeks
later I got an email right after getting out of school that said my report was
worth much more than a dime…”
Actually, it was worth $10,000 (£7,500). He added Google has
now fixed the bug
“According to Google, the large reward was because they
found a few variants that would have allowed an attacker access sensitive
data,” he concluded.
Google runs a Vulnerability Reward Program (VRP), offering
monetary rewards to reporters who flag bugs.