Finnish lad earns serious pocket money from Instagram flaw discovery
The record for the youngest security researcher getting paid by Facebook’s bug bounty scheme has been smashed by Jani, a 10-year-old Finnish lad who found a major flaw in Instagram.
In February the precocious youth reported the vulnerability, which could be exploited to delete comments from any account on Instagram, which is owned by Facebook. He demonstrated the flaw to the social network’s researchers by deleting data from a test account they had set up.
Jani told the Finnish newspaper Iltalehti that he and his twin brother had found a few software security blunders in the past but nothing as big as the Instagram issue.
“I would have been able to eliminate anyone, even Justin Bieber,” he said. [Surely there’s still time – ed.]
Jani said he learned to become a vulnerability researcher by watching YouTube videos and reading material online. He plans to use the money to buy new computers for him and his brother, as well as getting a new bike, and a football for when he’s not in front of a computer.
His father said it was “quite a surprise that Jani has gone so far in that business.”
Sources familiar with the matter confirmed to The Register that the flaw has now been fixed and that Jani is the youngest person ever to get a Facebook bug bounty payout, beating the previous record-holder by three years.
In March, HackerOne CEO Mårten Mickos told The Reg that his group had made a payout to a 15-year-old in Pakistan for discovering a major flaw.
Mickos, who is also Finnish, said the Suomi state is pulling well above its weight in the computing field, having given us Linus Torvalds, Nokia, Rovio, and Michael “Monty” Widenius of MySQL fame. He attributed this to its excellent school system, fast and cheap internet connections, and long, cold, dark Finnish winters. ®
Rise of the machines