Google awards $10,000 to Uruguayan high school student under its Vulnerability Reward Programme

16 Aug 2017

Google has awarded Uruguayan high school student, Ezequiel Pereira $10,000, under its Vulnerability Reward Programme (VRP). The search giant offers rewards up to $200,000 to people who pin point bugs.

Pereira, however, was not aware of the reward until Google responded with a sum of $10,000.

According to Pereira's blogpost which has an email exchange with Google security team, Google has fixed the vulnerability and the student was also permitted to make the issue public.

The blog post states, "On July 11th, I was bored, so I tried to find some bug at Google. I tried a lot of things in many Google services, one of those things was changing the Host header in requests to the App Engine server (*.appspot.com) in order to get access to some internal App Engine apps (*.googleplex.com) that usually require going through the MOMA login page....one of the websites I tried, "yaqs.googleplex.com", didn't check my username, nor had any other security measure."

He further added, "the website's homepage redirected me to "/eng", and that page was pretty interesting, it had many links to different sections about Google services and infrastructure, but before I visited any section, I read something in the footer: Google Confidential."

Pereira reported the issue to Google, but was not aware of the real impact of the bug he found. "At that point I stopped poking at the website and reported the issue right away, without even thinking of a better way to show the vulnerability than with Burp," the post read.

Google rewarded Pereira for exposing a security flaw which hackers could have used to access sensitive data.

Google's Vulnerability Reward Programme (VRP), offers monetary rewards to users who flag bugs. Earlier, this year Google increased the bounty for finding a bug in its proprietary Android OS to as much as $200,000.