Since 2011, Facebook has been operating a Bug Bounty Program, where it encourages people around the world to discover security vulnerabilities in their services (Instagram, Internet.org, Moves, Oculus, Onavo, Open source projects by Facebook/Parse, etc.) or infrastructure which creates a security or privacy risk, in exchange for a generous reward, depending on the extent of your bug report.
According to Facebook, they have received 2,400+ valid submissions and awarded more than $4.3 million to 800+ researchers around the world, since the inception of Bug Bounty Program.
The recent recipient of $10,000 from Facebook, is a 10-year old Finnish boy – Jani, who found an API vulnerability on Instagram, which allowed users to delete the comments of any other user on the website. This loophole was discovered in a private programming application interface, that wasn’t checking if the person deleting the comment, was the same person who posted the comment in question.
“I would have been able to eliminate anyone, even Justin Bieber, comments from there,” Jani told iltalehti.
According to a spokesperson from Facebook, this bug was fixed in February, after they received a report from Jani, and for his efforts he was granted a sum of USD 10,000 – an amount higher than what is generally paid to Facebook Bounty Hunters, due to the scope of risk involved. Jani ntends to spend the money on new soccer gear, a computer, and bicycle, to share with his twin brother.
Jani’s father who is quite surprised on his discovery, stated that the brothers spent considerable amount of time on Youtube, watching videos related to Network Security.
Since he is 10, and the minimum age requirement to register on Instagram is 13, Jani was told to create a fake account on the website, to run the team at Facebook, through the vulnerability that he had spotted.