Mozilla pays a bounty to security researchers who disclose vulnerabilities they find in an appropriate manner. The latest security researcher to get paid is none other than Alex Miller, a 12-year-old boy. Miller found and reported a critical buffer overflow and memory corruption flaw in Mozilla’s Firefox browser and earned $3,000 for his discovery, according to Mercury News. Miller says he was motivated to search for Firefox security holes after Mozilla increased its bug bounty from $500 to $3,000.
The seventh grader, who described himself as a Firefox loyalist, has reported a Firefox vulnerability in the past, but that one did not qualify for the cash payout. Annoyed at not getting rewarded the first time, Miller says he spent about 90 minutes each day for about 10 days until he spotted a flaw in the memory of the running program. In other words, he examined code for about 15 hours, and was paid $200 per hour for it.
The flaw can be exploited to crash a victim’s browser and potentially run arbitrary code on their computer. It was patched this week in Firefox 3.6.11 and Firefox 3.5.14, but also affects Mozilla’s Thunderbird 3.1.5, Thunderbird 3.0.9, and SeaMonkey 2.0.9. It looks like in the world of open source bug hunting, age is not a factor.