A 10-year-old found a bug in Instagram, which requires you to be at least 13 before even signing up, that let him delete any comment on the social network. He reported his discovery to Facebook, and got paid $10,000, according to Finnish newspaper Iltalehti. We contacted Facebook, and a spokesperson confirmed the notable accomplishment.
Jani, a Finnish boy from Helsinki, discovered the security flaw in Instagram on his own. He reported the bug by email, offered proof by deleting a message on one of Facebook’s test Instagram accounts, and it was fixed in February. Facebook paid him the bug bounty in March.
Jani learned the basics of his security skills on YouTube. “I would have been able to remove anyone, even Justin Bieber,” he told Iltalehti.
Jani hopes to become a security researcher when he grows up (he’s definitely on his way, and some would even say he already is one). “It would be my dream job,” he declared. “Security is very important.” In the meantime, he has used the reward money to buy a new bike, football gear, and computers for his two brothers.
Jani is the youngest person to be paid through Facebook’s bug bounty program, to date. While this is an impressive achievement, it’s worth noting that it’s not exactly new. Facebook gets reports from teenagers from time to time, and notes that it is not uncommon across the industry. The last youngest person to be paid a Facebook bug bounty was 13.
In February, Facebook shared that it had paid $4.3 million in rewards to more than 800 security researchers for over 2,400 submissions since launching its bug bounty program back in August 2011. Instagram was added to the program in 2014.
Facebook, Google, and Microsoft all offer notable bug bounty programs, as do smaller companies. It’s always better to find and fix a security bug before it becomes a problem, and rewarding researchers with bounties costs peanuts compared to the cost of cleaning up a security disaster.
Just imagine the chaos if a hacker wrote a script to delete all of Justin Bieber’s comments.