• by Laurie Sullivan , Staff Writer @lauriesullivan, September 16, 2022

Sam Curry, a hacker and bug bounty hunter and engineer with Yuga Labs, wants to know why Google mysteriously paid him $249,999.99 last month. Google pointed to human error, but for a company that makes billions in ad revenue annually through automation, why aren't there safeguards in place?

“It's been a little over 3 weeks since Google randomly sent me $249,999 and I still haven't heard anything on the support ticket. Is there any way we could get in touch @Google?” he tweeted on Tuesday. Adding that “(it's OK if you don't want it back...)”

Curry sometimes works as a bug bounty hunter for companies, including Google. He gets paid to help firms and other organizations find vulnerabilities in their software.

As it turns out, Google made a mistake and attributed it to a human error. In a statement to NPR, a Google spokesperson said: "Our team recently made a payment to the wrong party as the result of human error. We appreciate that it was quickly communicated to us by the impacted partner, and we are working to correct it."

Curry became “obsessed with computers from a young age, but his hobby wasn’t always a constructive one.” He was 18 years old in 2018 when he told the New York Post that as a sophomore in high school, he got in trouble for hacking into his school’s computers, posing as an administrator.

He had the ability to change grades, he told the New York Post, but he just wanted to enter the network as a prank.

The next time he found a security vulnerability, he reported it to the high school administration, and they gave him a $50 gift card to fast-food restaurant Subway as a reward. That’s when he realized how much money he could make.

Curry, at the time used HackerOne to find work because it hosted bounty programs for Uber, Snapchat, Yahoo, Sony, Spotify, Starbucks and the U.S. Department of Defense, according to the New York Post.

There are other sources such as Google Bug Hunter, a community of hunters that look “under the hood of Google products and the internet.” It’s a new program from Google launched in August.

The idea is to pay security researchers to find and report bugs in recent versions of Google-released open-source software.

The Open Source Software Vulnerability Rewards Program (OSS VRP) rewards discoveries of vulnerabilities in Google's open-source projects and is part of the company's $10 billion commitment to improve cybersecurity.

Depending on the severity of the vulnerability and the project's importance, rewards will range from $100 to $31,337. The larger amounts will go to unusual or particularly interesting vulnerabilities.

Microsoft also has a bounty program.