Google reportedly awarded a high school student in Uruguay $10,000 after he discovered a security flaw in Google App Engine, according to ZDNet.
The student, Ezequiel Pereira, said he was searching for bugs in the platform July 11 because he was "bored." During his search, he reportedly found a method to change the Host Header in requests to App Engine without authorization.
Using Burp, a security testing suite, Mr. Pereira found one website — yaqs.googleplex.com — allowed him unauthenticated access to the server without checking his credentials. It redirected him to an internal Google website with a note that read "Google Confidential."
He reported the issue to Google, which awarded him $10,000 after learning there were variants of the bug that would have allowed an attacker to access sensitive data.