Spotting a flaw in any app or software is important as it helps the companies to update them by fixing the bugs. This also enables them to offer their customers a better service experience. Several companies such as Google, Microsoft, and so on have been encouraging people to report bugs if they found any by giving them a reward. And one such reward has been presented to a high-school student from Uruguay. He has been given $10,000—which is approximately Rs 6.5 Lakh—as he found and reported a susceptibility to Google.
Ezequiel Pereira, the student, said he came across the susceptibility after a stretch of boredom in the previous month when he was exploring the Google services using a well-known Web security testing tool, Burp Suite. Following a few failed endeavors, Pereira says he discovered an internal web page, yaqs.googleplex.com, which did not have password or username check primed. And Googleplex.com seemed to horde numerous Google App Engine apps.
He further mentioned that the homepage of the website redirected him to “/eng” and the page that opened was pretty attractive. It had several links to diverse segments of Google infrastructure and services. He said, prior to visiting any segment, he read a note in the footer area: “Google Confidential.”
Pereira wrote, “At that moment, I closed exploring the website and communicated the problem immediately, without even considering a better approach to demonstrate the susceptibility than with Burp.”
Pereira mentioned that he had received several responses from security team of Google on the similar day, who substantiated that the bug he had discovered was in fact effective. With modest to no hope of any incentives, Pereira says he was astonished when a month later the team of Google notified him that he will be rewarded $10,000 for his effort and that he can share the temperament of the susceptibility with the world.
However, the vulnerability is been resolved by Google. Pereira wrote, “The company has worked upon the bug and fixed it. As per Google, the huge incentive was because they discovered a few variants that would have facilitated access to sensitive data to an attacker.”
The lucidity and keenness to reward self-sufficient security investigators are one of the things numerous Silicon Valley firms have been working on. Apple, Microsoft, and Google are progressively giving bug bounty reward programs where they motivate individuals to report any privacy or security flaws they notice in any of their services.