Ezequiel Pereira got his first computer when he was 10, took an initial programming class when he was 11 and then spent years teaching himself different coding languages and techniques. In 2016, Google flew him to its California headquarters after he won a coding contest.
"I found something almost immediately that was worth $500 and it just felt so amazing," Pereira told CNBC. "So I decided to just keep trying ever since then."
His sporadic poking around has finally paid off in a big way: Google just awarded the Uruguayan teenager $36,337 for finding a vulnerability that would have allowed him to make changes to internal company systems.
Although Pereira found the bug earlier this year, he only just got permission to write about how he discovered it this week, after Google confirmed that it had fixed the issue.
It marks Pereira's fifth accepted bug, but it's by far his most lucrative.
"It feels really good — I'm glad that I found something that was so important," he said.
In February, Pereira started college for computer engineering in his hometown of Montevideo. When he's finished with his homework and doesn't feel like hanging out with friends or watching videos, he'll whip out his computer and start hunting.
He found his second biggest bug last July, which scored him $10,000, because he was bored during school break. Pereira used a large chunk of that money to apply for scholarships to U.S. universities.
When none of the 20 or so schools he reached out to accepted him, he decided to start school at home.
For now, he has no big plans for his latest winnings besides the occasional outing with friends and helping his mother pay the bills.
He's also saving for future education. Pereira said he hopes to eventually get his master's degree in computer security. Until then, he'll keep bug hunting in his spare time.
At this point, Pereira has only ever submitted vulnerabilities through Google's bounty system, though most major tech companies have programs of their own. Companies say that if they encourage security researchers to test their systems for money, they have a better chance of staving off bad actors.
Google determines payout on whether it could give someone direct access to Google's servers or a client, and how potentially severe an exploit could be. It doled out $2.9 million to 274 different researchers last year, with a top award of $112,500.
Now that Pereira is ranked at number 12 in Google's Hall of Fame, he's received an onslaught of emails from people congratulating him, asking for advice or offering him jobs.
He makes a point to answer every email, and will refer people to different online computer security resources.
None of his close friends have ever submitted a bug of their own, though he tries to encourage them to give it a shot.
"They're interested but they don't think they know enough," he said. "But I always tell them just to try! Anyone can learn these things."