The seventh grader, who described himself as a Firefox loyalist, has reported a Firefox vulnerability in the past, but that one did not qualify for the cash payout. Annoyed at not getting rewarded the first time, Miller says he spent about 90 minutes each day for about 10 days until he spotted a flaw in the memory of the running program. In other words, he examined code for about 15 hours, and was paid $200 per hour for it.
The flaw can be exploited to crash a victim's browser and potentially run arbitrary code on their computer. It was patched this week in Firefox 3.6.11 and Firefox 3.5.14, but also affects Mozilla's Thunderbird 3.1.5, Thunderbird 3.0.9, and SeaMonkey 2.0.9. It looks like in the world of open source bug hunting, age is not a factor.