As technology moves forward, so are the threats to the tools we use every day. GitHub is one such tool, enabling software developers to collaborate within and across organisations. One way of keeping tabs of GitHub is gitGraber which detects sensitive data available on the platform.
Tell us about yourself, your background ?
I’m Lucas also know as BitK, I am 28 y/o. I’m a French guy who lives in Lyon. If you play CTF we have probably already met during an on site event as I play a lot of them with the French team Hexpresso.
Before joining YesWeHack I was writing / reversing software for power plants.
I’m also a bug hunter, I’ve been in the top 10 hackers on YesWeHack Bug Bounty platform since the launch of the platform.
Why did you join YesWeHack and what is your role ?
It’s a team that I’ve known for quite some time through CTF, Bug hunting and HZVCommunity & Events ( LeHack ).
We share the same principles and I do like the idea of bringing tools to the community.
My role as Tech Ambassador within YesWeHack will be to support the hackers’ community, by providing tools, talks and workshop. I’ll attend the YesWeHack sponsored events, having great time with bug hunters and IT security researchers.
As a bug hunter and CTF player what are you driven by ?
To me, bug hunting is a lot like a puzzle game, I feel like every software, application is vulnerable to some kind of exploitation, you just need to find how.
Writing software is a difficult job, and developers are still human beings, so they make mistakes : our job is to find those mistakes and help developers to fix them before it gets worse.
One thing I love about the hacker community is the willingness to share information, tips or tools. There is always someone better than you in a specific field and most of the time those people will share their knowledge if you ask nicely.
What are the benefits of CTF (Capture The Flag) for those who want to start bug hunting ?
CTF is a bit different from bug bounties, the major difference is that in CTF you know that a vulnerability is there, you goal is “just” to exploit it.
So usually CTF tasks are quite small, you need to exploit a very specific bug. While in bug bounties, you are hacking real enterprise, their website can be huge and sometime you can find yourself lost in the scope. Bug Bounty has a whole reckon phase that CTF don’t have, it’s a new skill to learn.
CTF and Bug Bounties are different, but most of the time I use tricks and tips I’ve learn during CTF to exploit real life application in Bug Bounty.
Let’s meet with Kalin, Bug Hunter from Poland.
What’s your background ?
I’m 25 yo ,I didn’t study, it’s kind of a waste of time in Poland. Well, depends if hacking the school PCs in junior high school counts? xD
I have started my carrier in IT industry as a Data Center Operator, then I got promoted to Junior Dev. They had to do it because I have pwned their application once, and after promotion with the access to source code I was able to find few more critical bugs. Also with the help of Shellshock I was able to download/view the files of the CTO that were stored on one NAS.
3 years ago I have joined a awesome security company, and in my current position I’m responsible for : Mobile apps testing / Web apps testing / Code reviews / General technical advisory on the customer side.
My nickname Kalin comes from my surname KALINowski. I can be also found on the Internet by @llamaonsecurity/@llamasbytes handle.
Why are you interested in bug bounty ?
It started bug bounties as a time-killer in my first job, then I forgot about it and came back to it when I started the carrier in IT security. Participating in bug bounties improves your skills and increase the overall knowledge. Once I had to dig into the PNG file format structure to execute the XSS payload on web servers. It was quite an unique experience. Financially speaking, 1 euro is equal to 4.15 PLN (my local currency) so participating in bug bounties can be profitable.
This month, we publish an interview with one of the best researchers of our Bug Bounty Platform called SaXX who is only 27 years old.
In the all time ranking, SaXX culminates in the first place and he intends to defend his ranking well. Like Rafael Nadal, SaXX never gives up and works hard to exercise his passion with his true mischievous side!
1. Where did you get your nickname?
Well, that’s a question a lot of people ask.
I only tell the genesis of this nickname in certain circles.
2. What’s your background?
I have a career path that some would describe as classic. I had a BAC S (maths specialization) then a BTS IG at that period of time. After the BTS, I didn’t really know what to do so I let myself be tempted by an Information Systems Management school in Lorient – France.
These days, Bug bounty Hunters are trending within the IT security ecosystem, but very few articles deal with the DNA of a Bug Bounty Hunter.
At YesWeHack.com, we consider Bug Hunters have to respect and fit legal frameworks and norms.
AS a bug hunter please find below the goals you should be driven by :
My nickname is Onemore and I am a core-hunter of the YesWeHack.com private Team.
I’ve been hunting for bug bounties since 2012.
As a core-hunter for YesWeHack.com, my job is to spot talents and ask them to join us.
Even if our recruitment is subject to a co-optation process, i do have some criteria that help me spotting and rating new applicants.
In order to level-up the degree of trust, we need to apply some criteria for recruiting of our core hunters.
Those criteria are based on skill, level, openness, ethics, without omitting the ability to produce clear and relevant reports.