An 18-year-old Uruguayan student has secured a $36,000 Google bounty after finding a critical remote code execution vulnerability related to the Google App Engine.
The App Engine is part of the Google Cloud service, and serves as a framework that allows users to develop and host web application on a server less platform. It’s easy to see, then, how a critical code error could cause some massive security issues for those using the service.
Ezequiel Pereira, an 18-year-old Uruguayan student, was the recipient of a $36,000 Google bounty due to his ability to gain access to a non-production Google App Engine development environment and his discovery of the ability to access some of Google’s internal API’s.
Alluvial Fund performance update for the month ended May 2021. Q1 2021 hedge fund letters, conferences and more Dear Partners and Colleagues, Alluvial Fund, LP returned 5.4% in May, compared to 0.2% for the Russell 2000 and 1.0% for the MSCI World Small+MicroCap . . . SORRY! This content is exclusively for paying members. SIGN UP Read More
While companies like Google employ some of the best and brightest in the software development industry, there are always bugs and holes that slip through and could open both the company and its users up to some massive security flaws. The $36,000 Google bounty reflects the seriousness of the issue and the company’s gratitude to this 18-year-old Uruguayan student and his efforts with testing.
When Pereira first reported the Google vulnerability, he didn’t realize it was as dangerous as it was – but his findings were quickly escalated to a P1 priority rating which suggests it needed to be addressed as soon as possible to avoid affecting a large percentage of users.
Google later ran analysis of the security holes discovered by the young researcher, and came to the determination that they could be exploited for a remote code execution “due to the way Google works.” The seriousness of the issue more than warranted the $36,000, as that is a small amount of money for Google for a discovery that will save them a major hassle later down the road.
The 18-year-old Uruguayan student researcher has published his findings in a blog post that details his process of finding the issue as well as his interactions with Google.
This is actually not the first time that Pereira has discovered serious vulnerabilities in Google services. Over the past few years, he has earned thousands of dollars in addition to the $36,000 Google bounty – proving that age is but a number when it comes to technological literacy and skill.
While some researchers worry about getting short changed for their hard work finding these vulnerabilities, Google appears to be paying Pereira fairly for his work, with the young man earning up to $10,000 previously in addition to this most recent $36,000 bounty.
Hopefully, with knowledge of this security vulnerability, Google can take steps to fix any glaring issues before they become a real problem. This 18-year-old Uruguayan student has a bright future in security research if he keeps up his current work, as securing a $36,000 Google Bounty at such a young age definitely speaks to his talent and determination. We expect to see his name pop up more and more in the coming years.