Google bug bounty

Cyber-crime is one oft-repeated threat, which apparently doesn’t seem like slowing down. However, the only defence to this threat is security vigilance and awareness. A quick way to test the corresponding security measures is by incorporating bug bounty programs which have been on the maps of several companies, for a long time now. Although not all bug bounty programs provide remunerations, others can go as high as $36,000 like Google who recently awarded an Uruguayan teenager for exposing a security flaw.

The herculean search engine Google awarded an Uruguayan teenager with $36,000 for reporting a major vulnerability. The 18-year-old Ezequiel Pereira from Uruguay debugS a severe security hole which, otherwise, would have allowed hackers to make changes to Google’s internal systems. At the outset of 2018, Ezequiel Pereira, having a keen interest in programming, got access to a non-Production App Engine deployment environment where he was able to use internal APIs. Remote Code Execution, as it is known, is a part of Google Vulnerability Rewards Program.

The Uruguayan Prodigy:

Ezequiel Pereira, while on the verge of turning 17, earned his first reward through Google bug bounty program wherein he exposed a Google security flaw.

Tapping along the ABCs of this whiz kid; Pereira got his first computer when he was 10. He spent years learning different coding languages, after a steady initiation when he was 11 years old. He finished off as a grand prize winner of Google Code-in 2015, paving a way to Google’s California headquarters.

I found something almost immediately that was worth $500 and it just felt so amazing. So I decided to just keep trying ever since then. – Ezequiel Pereira

He found his second biggest bug on July 2017 through which he earned $10,000. Despite using more than half of the money on applying for scholarships to US Universities, he couldn’t manage into any of the schools. Hence, he took off to become self-taught and started schooling at home. With an aim of achieving master’s degree in Computer Security, Pereira keeps himself busy, hunting bugs.

Pereira got permission to write about how he discovered it recently after Google fixed the issue. It marks his fifth accepted bug.

The Tabloid in a Nut-shell:

  • Early February 2018: Main bug was discovered.
  • February 25th, 2018: Initial report sent, containing the “stubby” API
  • March 4th and 5th, 2018: The app_config_service” API was discovered and reported
  • Between March 6th and 13th, 2018: The access to non-prod Google App Engine environments was blocked with a 429 error page
  • 13th March, 2018: Reward of $36,337 issued
  • May 16th, 2018: Confirmation of the security flaw been fixed.

Bug Bounty Programs Boosts Ethical Hacking :

Bug bounty programs are designed to key-up software security researchers and pay them to find vulnerabilities and report back to the sponsor. In return, the researchers are richly rewarded for their findings. In fact, as part of Google’s Android Security Rewards Program, Researcher Guang Gong, received the largest reward of the year 2017: $112,500.

Heretofore, Pereira’s submissions are towards the Google’s bug bounty program. However, there’re many other technology companies which offer similar awards to ensure smooth and essentially, authentic and supervised access. Introducing bounty programs and offering monetary awards is sure to motivate hackers to discover and report flaws rather than selling them off to malicious, third-party sources. Many corporations have been announcing such programs, wherein they reward hackers who can break into their systems and eventually, report breaches in the process.

Ethical hacking is one’s fair shake to be on the right side of the law while securing systems by hunting down flaws and fixing them.