Job of the Day: Bug Bounty Hunter

By Nicole Dieker May 4, 2016

A ten-year-old in Finland just earned $10,000 by finding an Instagram bug… and you can too.

I have to admit that my first thought, when I read theSkimm’s email newsletter and learned about the ten-year-old boy who earned $10K finding an Instagram bug, was how do I drop everything and learn how to find bugs in Facebook and its acquired products e.g. Instagram?

It sounds like the best get-rich-quick scheme ever, except I’m pretty sure “finding bugs” doesn’t mean “telling Facebook that its message icon doesn’t let you accurately track whether you’ve seen a message and want to reply but can’t right now, because you’re busy and if you replied to every message as soon as you received it you’d never get anything done.”

But yes, the Bug Bounty Hunter program is real. From Facebook:

We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Facebook’s discretion, based on risk, impact, and other factors.

So what did this 10-year-old child do, and can we all start earning extra cash by finding bugs? Ars Technica reports:

A 10-year-old schoolboy from Finland has become the youngest recipient of a £7,000 ($10,000) award under Facebook’s bug bounty program, after he found a vulnerability that allowed anyone to delete comments on Instagram simply by planting malicious code into the photo-sharing app.

Jani — who at the tender age of 10 is considered too young to use Facebook by the company’s own rules — outshines an unnamed 13-year-old cyber enthusiast, who once held the title of the youngest person to receive a bug bounty reward from the free content ad network.

(Let me just say that I love the term “free content ad network.”)

So if I want $10K, I need to start planting malicious code into Facebook-acquired apps while looking for vulnerabilities. Time to Google “how to plant malicious code”—or, as The Guardian suggests, look it up on YouTube:

The 10-year-old has been interested in coding and video games for two years, according to the Helsinki-based newspaper Iltalehti, which first reported the story. He has a twin brother, and the two have been learning together. He became interested in information security — which he said would be his “dream job” — and honed his craft using instructional videos on YouTube.

When I searched YouTube for “how to plant malicious code on Instagram,” I got a video that wasn’t necessarily instructional, but definitely informative at the 101 level:

<a href="https://medium.com/media/d233519f14f7ed67f3635bed04a3f8d7/href">https://medium.com/media/d233519f14f7ed67f3635bed04a3f8d7/href</a>

But you can’t get from that video to “now I know how to exploit Instagram vulnerabilities,” which means I might not have been putting in the right search terms. Admittedly, I only know enough about malware to make “all I have to do is write up some malware” jokes, but these ten and thirteen-year-old kids were able to teach themselves what to do, and I’m really curious how they did it and what YouTube videos they watched. What would you search, if you were a ten-year-old looking to become an infosec expert?

Also: do any Billfolders have the legit skills required to become Bug Bounty Hunters, and have any of you tried to claim a bounty?

Support The Billfold

The Billfold continues to exist thanks to support from our readers. Help us continue to do our work by making a monthly pledge on Patreon or a one-time-only contribution through PayPal.