HomeWinBuzzer NewsGoogle Awards 18-Year-Old Student $36,000 for Discovery of Remote Code Execution Flaw

Google Awards 18-Year-Old Student $36,000 for Discovery of Remote Code Execution Flaw

Uruguayan Ezequiel Pereira López found a remote code execution vulnerability in Google's App Engine and has been rewarded over a $36,000 as a result. It's not the student's first find, though it is his highest paying to date.


Google’s Project Zero consistently points out bugs in other’s software, but the search giant isn’t perfect, either. Like Microsoft, it holds routine bug-bounty programs with compelling rewards for any researchers who find them.

The latest recipient is an 18-year-old student from Uruguay’s University of the Republic who didn’t realize the severity of the problem. The remote code execution bug was found in the Google App Engine and has since been fixed.

In late February, Ezequiel Pereira López gained access to the ‘Stubby’ API and a filed an initial report. By March 4, he’d gained access to the app config service and was able to use internal APIs. He able to change internal settings, his app’s Service Account ID, and set it as a ‘Super App’.

‘Stop Exploring Further’

After reporting this development to Google, the severity of his case was immediately raised and it was CC’d to several employees. He was told to “stop exploring this further, as it seems that you could easily break something using these internal APIs”.

It was a surprise when, a few days later, Google sent out an automated response. The researcher was unaware that his bug was considered remote code execution. As well as the $31,337 for RCE bugs, there was an additional $5,000 for a lesser bug.

However, though López received more than he expected, it’s clear it wasn’t dumb luck. He has previously discovered bugs to the tune of $500, $5,000, and $7,500, and $10,000. In 2015, he was a Google Code-in grand prize winner  and paid a visit to the company’s headquarters.

You can find his blog here for a full write up.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News