An 18-year-old student at Uruguay’s University of the Republic has received $36,337 in bug bounties for finding a security vulnerability in Google App Engine. The flaw enabled remote code execution (RCE) in the cloud development platform, making it a critical vulnerability in Google’s eyes.
The student reported the discovery to Google but had no idea how important it was until Google told the researcher to stop work because more investigations could break their system. “I was not aware until then that this was regarded as Remote Code Execution (The highest tier for bugs), it was a very pleasant surprise,” the researcher said. “I asked one of the Googlers in the reward panel about it, and he told me it is RCE for the way Google works and also that the extra $5k (Since they pay $31,337 for RCE bugs) was for a lesser bug.”