Bug Bounty hunters mount impressive sprint finish to Caisse des Dépôts marathon

April 26, 2024

A spectacular finale saw participants of a YesWeHack Live Bug Bounty rewarded for 30 straight hours of patient probing with a late flurry of serious vulnerabilities.

It was hard going early on given the already hardened scopes, but the ethical hackers’ persistence ultimately paid off. The most significant bugs were only unearthed as the clock ticked down to the final hour.

The upshot was 22 validated bugs and significantly more secure digital assets for Groupe Caisse des Dépôts (CDC), a French public financial institution.

Two ethical hackers hold up t-shirts at the YesWeHack Live Bug Bounty for Groupe Caisse des Dépôts at InCyber Forum (FIC) Europe, in Lille, in 2024

The competition, which ran between 10am on 26 March and 4pm the following day, took place at InCyber Forum (FIC) Europe, the security event in Lille. Bug hunters competed for points, YesWeHack swag created for the occasion and bug bounties ranging up to €6,000 for the most critical vulnerabilities.

As usual, YesWeHack kept the target under wraps until immediately before the event.


The leaderboard was topped by the BZHunt team, led by ZaX (aka Brice Augras) and also featuring Chackal, Serizao and Kix29.

BZHunt finished up on 295 points, accrued via 10 reports, with an impact score of 29.5. In second place, Aituglo (aka Cassim Khouani) notched 165 points via five vulnerabilities, with an impact score of 33. The final podium place was occupied by Gromak123 (Léo Jorand), scoring 150 points, with eight bugs and an 18.75 impact score.

It represented a fourth win in a row for BZHunt at YesWeHack’s annual Live Bug Bounty at FIC.

ZaX (aka Brice Augras) is all smiles at YesWeHack Live Bug Bounty for Groupe Caisse des Dépôts at InCyber Forum (FIC) Europe, in Lille, in 2024

Thank you to all participating hunters and kudos in particular to the top three:

🥇 ZaX/BZHunt

🥈 Aituglo

🥉 Gromak123

Patience pays off

Running non-stop for more than 24 hours, a Live Bug Bounty is very much a marathon, not a sprint. And the bugs don’t arrive with metronomic regularity.

Indeed, the first significant findings in Lille did not come quickly, since the scopes had already been successfully hardened with private YesWeHack programs. ‘Low-hanging fruit’ was in short supply.

Nevertheless, our hunters relish a challenge, and were energised by the variety of applications and technologies to explore. They kept plugging away and the vulnerabilities duly started to arrive.

The dazzling denouement again shows the primacy of patience and persistence to successful hacking (as Icare, RL and Chackal and Serizao have pointed out). The most valuable findings were submitted by hunters who, sleeping aside, hacked throughout the 30-hour event with few breaks.

Credit must also go to the CDC security team for their swift bug triage and assessment and setting of fair rewards.

Bug hunters hacking hard at YesWeHack Live Bug Bounty for Groupe Caisse des Dépôts at InCyber Forum (FIC) Europe, in Lille, in 2024

Benefits beyond bugs

The intrinsic benefits of the in-person format were also apparent. Most notably: the unusual coexistence of competition and collaboration drove hunters to greater heights, while senior managers from CDC were given demos of the vulnerabilities and their implications.

As usual, the event culminated in the announcement of prizes and the final leaderboard, and more fruitful interactions between hunters and the security team.

Providing a platform for knowledge-sharing and awareness-raising, these events clearly offer security benefits beyond the vulnerabilities discovered during the competition itself.

Ethical hackers chatting at YesWeHack Live Bug Bounty for Groupe Caisse des Dépôts at InCyber Forum (FIC) Europe, in Lille, in 2024

‘Shoutout to Caisse des Dépôts’

Reflecting on the event, ZaX said:

“This year again, the event was intense and full of twists and turns. After a rather slow start in terms of discoveries in the first few hours, it was finally after a long night of hunting that the first interesting vulnerabilities were found by the BZHunt team.

“A big thank you once again to YesWeHack for organising this and allowing us to be there for the past four years. It's always great for us to interact with other hunters and introduce Bug Bounty to younger ones. And also, a big shoutout to Caisse des Dépôts for the quality of triaging but also for the transparency they showed in terms of communication regarding the trust they placed in the ethical hacking community.”

Ethical hackers celebrating their achievement at the end of the YesWeHack Live Bug Bounty for Groupe Caisse des Dépôts at InCyber Forum (FIC) Europe, in Lille, in 2024

Founded in 1816, Groupe Caisse des Dépôts makes investments with long-term benefits for reducing social and regional inequality, protecting the environment and the economic development of France. Among other things, it manages the pensions of one fifth of French citizens, and invests in social housing, renewable energy and sustainable transport.

Groupe Caisse des Dépôts commented:

“We've been working with YesWeHack for several years now. Taking part in this live event at Forum Incyber 2024 was an opportunity to meet the hunters who work all year round on our programs, which allow us to interact in real time.

“We were able to discuss the bugs they had reported, their understanding of our applications. An exceptional experience to be repeated, thanks again to the hunters and to YesWeHack!”

Aside from overseeing the Live Bug Bounty, a YesWeHack team was also on hand to demo and discuss our vulnerability management solutions – Bug Bounty, Vulnerability Disclosure Policy, Pentest Management and Attack Surface Management products – with FIC visitors. We were also delighted to announce an integration between Sekost’s scan engine and our Attack Surface Management product.

If you want to know how a Live Bug Bounty or regular Bug Bounty Program can harden your digital assets, strengthen your security posture and provide assurance to customers and investors, contact us to book a demo.