A 10-year-old Finnish boy, Jani, discovered a security flaw in Instagram, earning a modest $10,000 in the process. The flaw was serious: Jani claimed it could allow him to delete what people wrote on Instagram accounts through accessing Instagram servers and altering code, which he demonstrated by deleting a comment they made on a test account. Jani stated in Iltalehti earlier today that, “I would have been able to eliminate anyone, even Justin Beiber.”
He was rewarded $10,000 by Facebook as part of its bug bounty program, which offers cash rewards to people who find bugs and flaws in Facebook’s digital infrastructure,including the Facebook-owned Instagram. The 10-year-old Finn became the youngest ever recipient of a Facebook bug bounty.
According to the boy’s father, he has found security flaws in websites before, but they haven’t been significant enough to justify a payout. Facebook’s bug bounty program welcomes anyone to find bugs and flaws, and offers cash rewards to problems that are significant, similar to Google’s own security rewards program. According to the most recent release from Facebook, the company received over 13,000 submissions from researchers in 2015 alone, 526 of which were valid reports. In 2015, Facebook paid out a total of $936,000 to 210 researchers, averaging about $1,780 per submission, of which 102 were considered “high impact.”