This month, we publish an interview with one of the best researchers of our  Bounty Factory called SaXX who is only 27 years old.

In the all time ranking, SaXX culminates in the first place and he intends to defend his ranking well. Like Rafael Nadal, SaXX never gives up and works hard to exercise his passion with his true mischievous side!

1. Where did you get your nickname?

Well, that’s a question a lot of people ask.
I only tell the genesis of this nickname in certain circles.

2. What’s your background?

I have a career path that some would describe as classic. I had a BAC S (maths specialization) then a BTS IG at that period of time. After the BTS, I didn’t really know what to do so I let myself be tempted by an Information Systems Management school in Lorient – France.

In fact, I was a little bored in class because I either quickly finished what had to be done or I wasn’t interested. So I started to explore the Internet and my first real project was to code a bot in python to do a very particular task. Along the way, I discovered IRC and more particularly the n-pn info chan where I had the chance to meet and exchange with passionate and open people: Gruik, MacYavel, Notfound, Bitk, XeR, kaluche, and many more. It was also the time when CTFs were starting to get organized and we decided to try it out with one of Hexpresso’s historical members, Notfound. At first, we didn’t grasp everything, but through training and envy we started to improve our skills and get results.

At the mean time, during my “alternance” within a private company, I started proposing subjects around computer security and my tutor entrusted me with more and more tasks that had nothing to do with what I was learning in a master’s degree, which was rather interesting. So I was able to develop my skills until I created the BREIZHCTF 4 years ago now with kaluche.

3. Can you tell us about a failure that you learned a lesson within a bounty bug program?

Once I discovered a vulnerability but I was not satisfied with its exploitation so I spent one night trying to optimize this finding and the next day when I finally submitted it but i was told it was a duplicate and that pissed me off. Since this disappointment, when I have a beginning of vulnerability with a minimum exploit and well I submit it quickly, it gives me time to continue its exploitation to see how far I can unroll the ball: it is a good challenge and it allows to push back some limits.

4. What advice would you give to apprentice bug hunters?

There are a few of them.

First of all, admit that we know nothing not to quote Socrates: “All I know is that I know nothing”. Once you’ve keep this in mind, be curious, very curious. There’s no day I don’t read. It helps me to sharpen my mind and sometimes it is useful when Bug hunting.

Then, it is wise enough to read the vulnerabilities discovered by other hunters when it is BugBounty or other researchers when it is CVEs. It is kind of forging our approach in terms of vulnerabilities and it allows you to try new techniques in context.

A very good way to gain experience, too, is to participate in CTFs or practice on platforms like root-me or ringzer0. It’s also fun to share this type of challenge with friends to better understand and exploit vulnerabilities. There are really many advantages to working as a team.

Last but not least, write understandable and clear reports. There’s nothing better than a relevant report through which the BugBounty program team can see right away what’s going on.

5. What is the highest reward you have received through BountyFactory?

For me, one of the highest awards I’ve ever received isn’t cash and stumbling but it’s a Tshirt from OCCRP.org and seeing my nickname in their hall of fame.

This was a non-profit bug bounty program for an NGO fighting corruption and organized crime. I was just proud to have helped them strengthen their systems.

6. Do you have a type of vulnerability that you like to look for?

THE TRACES (#privatejoke) I think some will recognize themselves !

More seriously, over the months and years spent hunting Bugs, I realized that the most critical vulnerabilities were those directly related to the business of the company that is implementing its Bug Bounty program. This requires a certain discipline in the method adopted to test the scope. Besides the vulnerabilities directly related to the business, I have two others that I test systematically and in most cases they work; it is the lack of partitioning between users.

7. Bounty bug is a kind of sport, do you have a professional sportsman who inspires you technically or philosophically?

While I admire the pugnacity and hard work that great athletes do, I don’t have a name that comes to mind. I don’t know if Mr. Abraham Lincoln was a great sportsman, at least one of those quotes inspires me, “If I get six hours to cut down a tree, I’ll spend four hours preparing my axe.” This quote echoes another by Edison: “Genius is 1% inspiration and 99% perspiration”. Not having the genius of Thomas Edison, I certainly need 100% perspiration to spend time learning and trying new things.

8. As number 1 of bountyfactory, have you noticed an evolution concerning your competitors or bug bounty programs as a whole?

The competition is getting tougher indeed! OneMore succeeded in dethroning me in 2017. Nice feat, but since then I’ve been trying to regain a small lead over him. As for the other hunters, who stick to me, they do a good job as the hacktivity page shows. On Bounty Factory the competition is healthy and it’s really fun.

As far as the programs themselves are concerned, I see that more and more boxes want to do this, but sometimes it is not so obvious. For some of these programs, it turns out that managers underestimate all the resources and skills of hunters on Bounty Factory. What sometimes makes that some programs rather sure of themselves (understand their infra, their code,…) do not expect such a volume of report concerning critical vulnerabilities consequently certain vulnerabilities can take enormously time to be solved what conditions the payment of the reward to the hunter.

9. Beyond computer security, bug hunting, can you name one of your favorite hobbies?

I’m a Cub Scout leader and I like attending small or bigger rock gigs in Brittany or elsewhere.

10. Any last words?

Yeah, i do have a last quote (I like quotes and so what ? ^^), I would share with you that of Elsa Triolet: “We should always see ourselves as people who are going to die the next day. It’s that time you think you’re looking at that kills you.” A quote full of common sense that took on a whole new taste following an accident that happened to me last summer and that could have been tragic…

Don’t wait to have this or that, to be this or that to get started and enjoy life, your friends but above all your family.

SaXX Winner of the latest trophee of the OnSite Bug Bounty program organized by Yeswehack in Rennes | France.

In Bug Bounty, Bug Hunters, Disclosure, Europe, Feature, Vulnerability Coordination