Facebook has awarded a white hat hacker its biggest ever bounty for reporting a severe vulnerability affecting the company’s servers.
Facebook paid Andrew Leonov, a Russian security researcher, $40,000 for discovering that Facebook was susceptible to a “remote code execution” flaw in ImageMagick, a popular open-source software tool for editing photos. The flaw would have allowed hackers to hide computer-compromising code in image files that they upload to the site.
Originally discovered last spring, the bug affected countless websites using the ubiquitous photo-tweaking software ImageMagick. Facebook’s security team attempted to patch the issue last year, but Leonov found that he could circumvent the fix that the team had put in place.
Get Data Sheet, Fortune’s technology newsletter.
To fix the vulnerability, Facebook’s engineers, like many others, simply added rules to its web application firewall, a tool that monitors, filters, and blocks Internet traffic. The measure was not foolproof, as Leonov figured out months later.
The revelation came one Saturday in October when Leonov was poking around “some big service (not Facebook),” he wrote in a recent post on his personal blog. His suspicions were piqued after he was redirected to the social network by way of a “share on Facebook” pop-up box and, for some reason, a picture failed to render properly.
Initially, Leonov assumed the problem related to a type of vulnerability that lets attackers create requests from servers behind firewalls. He kept digging until he realized the real problem.
For more on Facebook and hackers, watch:
Facebook had used a vulnerable ImageMagick library in its image converter, Leonov found. He then devised a way to bypass the network’s firewall defenses with some code of his own, and he reported the problem to Facebook on Oct. 16.
Within three days, Facebook had patched the hole. By early November, Leonov had received his reward through Bugcrowd, a bug bounty startup that counts Fiat Chrysler (FCAU), Western Union (WU), and Twilio (TWLO) among its customers.
“I am glad to be the one of those who broke the Facebook,” Leonov wrote, celebrating the achievement on his blog.
https://twitter.com/alexstamos/status/821415424558440448
“Great bug from a responsible reporter,” Alex Stamos, Facebook’s information security chief, said in a post on Twitter this week.
Facebook confirmed with Fortune that this is the company’s largest bug bounty payout to date. A spokesperson said that the company was unaware of anyone exploiting the issue before Leonov’s report.
Facebook’s next highest payout for a bug bounty was $35,000 in January 2014. The company awarded the sum to Reginaldo Silva, a Brazilian security researcher who discovered a different remote code execution flaw that affected the site’s login process.
Facebook has long lauded the efficacy of bug bounties, having paid more than $5 million to ethical hackers since debuting its program in 2011. Other organizations such as Microsoft, Google, Uber, Apple, and even the United States Department of Defense, sponsor bug bounty programs, too.
