Facebook has rewarded a 10 year-old boy from Finland with a $10,000 bounty for discovering a vulnerability in the Instagram API that could have enabled a hacker to delete comments of any user on the popular social photo sharing service.
The vulnerability was fixed in February after Jani, the young hacker, reported it to Facebook. The company refused to provide specifics about the flaw in the Instagram API, but Melanie Ensign, a Facebook representative, revealed that the vulnerability related to functionality that validates whether or not an API request is associated with a user who owns the content that is being deleted.
Jani proved that the vulnerability was real by deleting a comment Facebook created on a test account and most worryingly, the flaw didn't even require Jani or another hacker to even have an Instagram account.
Because of the "scope of the risk," Facebook gave Jani $10,000, an amount significantly higher than the typical bug bounty the social network pays to individuals who discover vulnerabilities in its services. According to Ensign, Facebook has paid over $4 million as part of its bug bounty program since 2011.
In recent years, bug bounty programs have become almost ubiquitous as companies seek to prevent malicious hackers from wreaking havok and causing significant financial and reputational damage. But despite the magnitude of the potential financial and reputational costs, five-figure payouts like the one received by Jani are uncommon. Recently Kamil Hismatullin, a 22-year-old software developer and security researcher from Russia, discovered a major bug in one of Google's APIs that would have allowed users to delete any video uploaded to YouTube. For his efforts Hismatullin was rewarded $5,000. Another example, the highest bug bounties paid by Dropbox were less than half of what Facebook paid to Jani for his Instagram discovery, a reminder that companies cannot rely too heavily on bug bounty programs to protect them given the significant monetary value of exploits on the black market.