Skip to main content [aditude-amp id="stickyleaderboard" targeting='{"env":"staging","page_type":"article","post_id":1941216,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"bots,business,mobile,security,social,","session":"C"}']

Facebook paid $10,000 to 10-year-old for bug that let anyone delete Instagram comments

Image Credit: Ken Yeung/VentureBeat

A 10-year-old found a bug in Instagram, which requires you to be at least 13 before even signing up, that let him delete any comment on the social network. He reported his discovery to Facebook, and got paid $10,000, according to Finnish newspaper Iltalehti. We contacted Facebook, and a spokesperson confirmed the notable accomplishment.

Jani, a Finnish boy from Helsinki, discovered the security flaw in Instagram on his own. He reported the bug by email, offered proof by deleting a message on one of Facebook’s test Instagram accounts, and it was fixed in February. Facebook paid him the bug bounty in March.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1941216,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"bots,business,mobile,security,social,","session":"C"}']

Jani learned the basics of his security skills on YouTube. “I would have been able to remove anyone, even Justin Bieber,” he told Iltalehti.

Jani hopes to become a security researcher when he grows up (he’s definitely on his way, and some would even say he already is one). “It would be my dream job,” he declared. “Security is very important.” In the meantime, he has used the reward money to buy a new bike, football gear, and computers for his two brothers.

AI Weekly

The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.

Included with VentureBeat Insider and VentureBeat VIP memberships.

Jani is the youngest person to be paid through Facebook’s bug bounty program, to date. While this is an impressive achievement, it’s worth noting that it’s not exactly new. Facebook gets reports from teenagers from time to time, and notes that it is not uncommon across the industry. The last youngest person to be paid a Facebook bug bounty was 13.

In February, Facebook shared that it had paid $4.3 million in rewards to more than 800 security researchers for over 2,400 submissions since launching its bug bounty program back in August 2011. Instagram was added to the program in 2014.

Facebook, Google, and Microsoft all offer notable bug bounty programs, as do smaller companies. It’s always better to find and fix a security bug before it becomes a problem, and rewarding researchers with bounties costs peanuts compared to the cost of cleaning up a security disaster.

Just imagine the chaos if a hacker wrote a script to delete all of Justin Bieber’s comments.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More