> I know, right? $10,000! Facebook is worth billions!
But is causing monetary loss to Facebook, specifically, worth much to anybody? Anybody who would take the risk of committing a crime to do so?
This bug deletes content on Instagram. Unless you are the most underhanded of Instagram competitors, or just want to cause wanton Instagram picture destruction, I don't see why you as a third party would pay for it. Also, since I assume FB has backups, this is at most a relatively sophisticated DOS attack. Now, if you could insert data then you have stage 1 of a APT deployment platform, which is a whole other story.
Also, you underestimate the lifetime potential earnings won of "I discovered an attack on one of the 2-3 most popular internet platforms on earth at 13 and practiced textbook responsible disclosure with it". Beyond that, selling bugs to the highest bidder is very hard to justify, ethically speaking, and a lot of people put a high price on their integrity.
A bug that allows unauthorized children to delete content from other user's accounts may point to other vulnerabilities, which could have even more value.
IIRC FB/Instagram didn't payout on a report that took their entire AWS keys though...
I'm having trouble connecting your first sentence to your second. It sounds a little like saying "so, the US army has M109 Howitzers, so maybe they'd be interested in this 3D-printed zip gun I just made."
I'm not talking about the vulnerability that this kid found. I'm talking about vulnerabilities that would allow access deep into the Facebook infrastructure. I think there are in fact some vulnerabilities the NSA would be willing to pay more than $10k for if it would allow them long term access to a lot of sensitive Facebook data.
