Lucas aka BitK: high level bug hunter and the brand new YesWeHack Tech Ambassador.
March 15, 2019
Tell us about yourself, your background ?
I’m Lucas also know as BitK, I am 28 y/o. I’m a French guy who lives in Lyon. If you play CTF we have probably already met during an on site event as I play a lot of them with the French team Hexpresso.
Before joining YesWeHack I was writing / reversing software for power plants.
I’m also a bug hunter, I’ve been in the top 10 hackers on YesWeHack Bug Bounty platform since the launch of the platform.
Why did you join YesWeHack and what is your role ?
It’s a team that I’ve known for quite some time through CTF, Bug hunting and HZVCommunity & Events ( LeHack ).
We share the same principles and I do like the idea of bringing tools to the community.
My role as Tech Ambassador within YesWeHack will be to support the hackers’ community, by providing tools, talks and workshop. I’ll attend the YesWeHack sponsored events, having great time with bug hunters and IT security researchers.
As a bug hunter and CTF player what are you driven by ?
To me, bug hunting is a lot like a puzzle game, I feel like every software, application is vulnerable to some kind of exploitation, you just need to find how.
Writing software is a difficult job, and developers are still human beings, so they make mistakes : our job is to find those mistakes and help developers to fix them before it gets worse.
One thing I love about the hacker community is the willingness to share information, tips or tools. There is always someone better than you in a specific field and most of the time those people will share their knowledge if you ask nicely.
What are the benefits of CTF (Capture The Flag) for those who want to start bug hunting ?
CTF is a bit different from bug bounties, the major difference is that in CTF you know that a vulnerability is there, you goal is “just” to exploit it.
So usually CTF tasks are quite small, you need to exploit a very specific bug. While in bug bounties, you are hacking real enterprise, their website can be huge and sometime you can find yourself lost in the scope. Bug Bounty has a whole reckon phase that CTF don’t have, it’s a new skill to learn.
CTF and Bug Bounties are different, but most of the time I use tricks and tips I’ve learn during CTF to exploit real life application in Bug Bounty.
What are the challenges of Private, Public and On-site Bug bounty Programs ?
I often read online that you should go and grab low hanging fruit and that’s why private bounties are better : first arrived – first served.
But I think It’s way more rewarding to hunt for business logic bugs : you’ll will need to spend more time and it can be a bit difficult in the beginning, but in the end you’ll find more critical bugs. In this regard, I think private and public bounties are really similar.
On site programs are a bit different. Most of the time developers are also on site. And that’s a very valuable asset, as you can ask them questions to try to understand how everything works behind the scenes. You are part of the same team, everyone is committed to hardening a product and everyone learns to work with others and ultimately all players gain and improve their knowledge and skills.
In terms of Bug Bounty Tips, do you have any resources, books, tools to share ?
My biggest tip for Bug Bounty would be to stay in touch with the new trends, read a lot of write ups (Bug Bounty or CTF), you won’t be able to find a bug if you don’t even know it can exist.
Also, don’t be too dependent on your tools : almost everybody uses the same set of tools (Burp Suite, sqlmap etc. ) so the difference between you and another hacker will be your own skills, tools are here to help you, to be able to be more efficient, but don’t expect them to do your job.
Why is Bug Bounty a good way to foster security/DevSecOps within DevOps’ pipeline?
Most companies don’t have enough internal resources to handle security testing. CrowdSourced Security and especially Bug Bounty is the way to approach this challenge. Through a Bug Bounty platform, companies have access to a virtually unlimited pool of talents.
How do you manage the intensity of your hacking activities, do you take breaks to gain efficiency?
I used to play CTF all night but now I realize that the time I spend being awake too long I loose in efficiency, definitely. 🙂
You need to take breaks, It’s easy to get stuck in your own mindset. Have lunch, take a shower, go and grab something to drink, you’ll find new ideas quicker.