'Bug bounty': Facebook gives $10k to 10yo who discovered Instagram security flaw

© Lucas Jackson
A 10-year-old Finnish boy has received $10,000 from Facebook after reporting a bug which allowed people to delete any Instagram comment. He is the youngest person to get money from Facebook's 'Bug Bounty' program.

The boy, identified as Jani by local media, discovered the Instagram flaw on his own. He then reported the bug to Facebook - which owns Instagram - via email. A Facebook representative told Forbes that Jani offered proof of the glitch by deleting a message on one of Facebook's test Instagram accounts.

The problem was due to a private application programming interface – a set of code allowing outside access – which wasn't properly checking the person deleting comments was the same person who posted them.

The issue was fixed in February, and Facebook paid him the reward in March under the Bug Bounty program, which rewards users who report security issues to the company.

“I would have been able to remove anyone, even Justin Bieber,” he told Iltalehti. It was an incredible discovery from someone who isn't even old enough to have an Instagram account (the site requires its users to be at least 13 years old).

The discovery is a step in the right direction for the 10-year-old's career goals, as he hopes to become a security researcher one day.

“It would be my dream job,” he said. “Security is very important.” Jani said he picked up his hacking skills from YouTube videos.

But for now, Jani is still a child. He plans to spend his reward money on a new bike, football gear, and computers for his two brothers.

Though Jani isn't the first person to be rewarded by Facebook's Bug Bounty program, he is the youngest. Until now, the youngest person to receive cash from the social media giant was 13 years old.

The program has paid out $4.3 million to more than 800 security researchers for over 2,400 submissions since starting the program in August 2011. Instagram was added to the program in 2014.