A 10-year-old boy earned a $10,000 payday after reporting an Instagram bug to Facebook.
Jani, from Helsinki, Finland, discovered that he was able to delete any comment on Instagram, according to Finnish publication Iltalehti.
After reporting the vulnerability to Facebook's bug bounty programme along with proof by deleting a message on a Facebook-run test Instagram account, the social network fixed the problem in February.
Jani, who learned about computer security from YouTube tutorials, was then paid in March and spent the money on a brand new bike, football equipment and two computers for his brothers.
He said: "I would have been able to remove anyone, even Justin Bieber."
"It would be my dream job," he added, on the topic of becoming a security researcher as a full-time profession. "Security is very important."
Jani is Facebook's youngest successful bug hunter, Facebook confirmed, though it is not uncommon for companies' bug bounty programmes to receive reports from teenagers from time to time.
Facebook has paid more than 800 security researchers $4.3 million for 2,400 bug reports since its bug bounty programme started in 2011.
Of the submissions it received last year, 102 were high-impact bugs, Facebook said, an increase of 38 per cent on the year before.
Security engineer Reginaldo Silva said in a February update about the programme: "The quality of reports we receive is getting better over time, both in terms of clear step-by-step instructions to reproduce the issue as well as thoughtful consideration of potential risk to people who use Facebook."
