Sam Curry, a security researcher and bughunter, told us that he received an obscure payment of $250,000 from Google. He tried, but without success, for three weeks to find out through the company's tech support why it happened and how to return the money to the bughunter who it was really meant for.
Featured book: Business made simple book PDF Kindle edition download
Curry searches for various vulnerabilities in web applications and works as a security engineer at Yuga Labs. His employer and the hacker are both registered on Google's paywall for finding vulnerabilities in its services. But Curry did not find or send information to Google about the kind of critical vulnerability for which the company pays such large sums. He was also lucky that Google did not pay him $1 million, which is now the maximum payout for a working exploit chain to remotely execute code to bypass the Titan M security chip.
In the end, Curry decided not to do anything with the money in his account and wait for Google's response, as he decided for himself that the company probably paid him by accident.
A Google representative did get in touch with Curry, but only after publicity about the situation from the hacker society in the media.
The company admitted that it had made a costly mistake. "Our bugbounty payment team recently made a payment to the wrong party as a result of human error. We appreciate that the affected partner quickly informed us about it, and we are working to rectify the situation," a Google spokesperson told the media. The company did not specify the details of the incident, although its information system should minimize such human errors.
Curry thanked Google for the response and explained that he was curious how often something like this happens at Google and what systems the company has to check such errors. He also told the media that so far the company's money is still in his account and nothing happens to it.
Featured book: American government power and purpose 16th edition PDF Kindle edition download
In July 2021, Google announced that it had paid more than 2,000 security researchers from 84 different countries to report more than 11,000 vulnerabilities since the company launched its vulnerability bounty program more than a decade ago. Since January 2010, Google has paid more than $29 million in vulnerability rewards to experts and enthusiasts.