Google only award $5,000 for finding bugs in Youtube
A Russian software developer has detected a security flaw, which could have allowed him to remove any video on YouTube in a matter of seconds. And he says he was close to doing just that.
Kamil Hismatullin, 21, joked he “fought the urge” to erase Justin Bieber’s channel for a couple of hours, but chose to report the bug to Google instead.
It took the security researcher from Kazan, the capital of Russia’s Republic of Tatarstan, about 7 hours to identify the vulnerability in Google’s Application Programming Interface (API). He collected $5,000 for his research, the maximum award for this kind of discovery.
Hismatullin wrote on his blog that the bug could “create utter havoc in a matter of minutes in bad hands who [could have] used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time.”
He said he was surprised at how quickly Google responded after he reported the bug.
Google launched its Vulnerability Research Grants in January to offer financial grants to “top performing, frequent vulnerability researchers as well as invited experts” in exchange for research into potential flaws of certain applications.
While many said Google’s award of $5,000 is less than Hismatullin deserves for his finding, the bug hunter said that security research is only his hobby, which he enjoys doing regardless of how much he is paid.
$5,000 – seriously – that’s all?
A decent vulnerability that is exploitable, can reach as much as $50,000. With reflection, he should have offered his exploit to those who don’t like Justin Bieber… we would have offered a lot more than $5,000.