10-year-old wins $10,000 from Facebook for finding major flaw in Instagram

04 May 2016

A 10-year-old found a major flaw in Instagram, and won $10,000 from Facebook.

Jani, whose parents withheld his last name, found a way to access Instagram's servers and delete text posted by the site's users, Finnish news site Iltalehti reported.

Facebook rewarded him $10,000 as part of its bug-bounty programme, which offers cash rewards to people who find bugs and flaws in Facebook's digital infrastructure, including  Instagram which it owns.

The boy demonstrated to Instagram that he could delete a comment made on a test account. He added that he could even delete Justin Bieber's comments with the flaw he found.

The boy's father said Jani and his twin brother had found security flaws in websites before, but they had not been significant enough to justify a payout, until this one.

Facebook's bug bounty programme is open to anyone to find bugs and flaws. People who identify significant problems win cash awards, much like Google's own security rewards program.

In a recent release, Facebook said it received over 13,000 submissions from researchers in 2015 alone, 526 of which were valid reports.

The social network paid out $936,000 to 210 researchers, averaging about $1,780 per submission in 2015.

Jani is not the only young person to take part in Facebook's bounty programme, although he is the youngest so far.

The youngest person to win earlier was 13 years of age. Facebook had paid out a total of $4.3 million in rewards to over 800 security researchers, under the programme.  Instagram was included in the programme in 2014.

IT companies pay researchers cash amounts in order to avoid the huge costs of cleaning up a large-scale security disaster, which would cost many times the total payout.