Those skills at 18, the integrity to not sell something like this on the black market (assuming here that an 18 year old in Uruguay isn't exactly swimming in money), and a bounty from Google under his belt - he won't have trouble finding work. If I was considering hiring him, the creative bit of guerilla marketing for The Expanse he threw in there wouldn't hurt his chances either.
> <i>I am 18-year-old student at the University of the Republic [Uruguay] interested in computer security</i><p>Someone could say that he could have gotten even more money by selling his findings in the black market, very difficult but doable. However, as someone who understands how studying computer science in a 3rd-world country is, getting USD +36k in a legal way and from a company that is considered one of the best in the industry, it must have felt very good to get that mail.<p>Congratulations, and keep the good work.
This report showcases a ton of tenacity and thoroughness. Not his first time as well: <a href="https://sites.google.com/site/testsitehacking/10k-host-header" rel="nofollow">https://sites.google.com/site/testsitehacking/10k-host-heade...</a>. Very impressive.<p>“Please stop exploring this further, as it seems you could easily break something” has got to be the best reply one can receive to a bug bounty report.
"When issuing the reward, we'll take into account what you could have achieved with this access" makes me laugh.<p>How scary must that be for the Google team? You know you've messed up so badly and the person who is investigating is doing so blindly with no knowledge or accountability if he breaks something. Yikes.<p>Kudos to everyone for doing the right things. And great bounty- the average yearly income in Uruguay is $2000-$3000 USD per household. This guy just got awarded more than ten times that.
Another thing that is very admirable and bold is that he had no actual idea that he discovered a RCE vuln but went ahead and confidently contacted google.<p>How many would stop at "Eh I managed to fire requests to a hidden RPC service in google, but couldn't figure out how to make it do anything useful to qualify".<p>Put yourselves and your work/findings out there people!
This is not an inconsequential amount of cash, for sure. Especially at 18! Congrats! And a great write-up to boot. Just awesome.<p>All that said an honest question: why would a company like Google not pay insane amounts of money for these kinds of bug finds? What would they pay their own people to find them? Seems like RCE on App Engine should be worth 100K+ and then some on top for giggles just because they can.<p>Obviously having a standard policy makes sense so that your community understands what to expect but as Google, what's your operational impact if you triple / quadruple vs. market value of the exploits?
Looks like the "Hall of Fame" link in the bounty confirmation email is broken / not rendering:<p><a href="https://www.google.com/about/appsecurity/hall-of-fame/" rel="nofollow">https://www.google.com/about/appsecurity/hall-of-fame/</a>
Huh, so you can run binaries in GAE by downloading a statically linked app to /tmp, chmod'ing & executing it? And there would be no limits on how it's run? That's crazy & pretty cool!
I don't think it's so easy to sell a vulnerability on the black market. If you send the code first they will have no incentive to send the money, if you get the money, you might not send the code.
I have almost 15 years on the OP and aren't even half as talented. It looks like they've received almost $60k from Google across five bug bounties, very impressive.