French hacker Lucas Philippe, or @bitK on HackerOne, loves solving puzzles and bug hunting. He’s a member of multiple CTF (Capture The Flag) groups including @HexpressoCTF and @FlatNetworkOrg and has ranked on several leaderboards. @bitK made waves at his first live hacking event — h1-415 2019 — for how quickly he solved Hacker101 CTF Trainings, beating the rest of the field by over 24 hours! Just months later, he won the $50 Million Dollar Milestone CTF and because of his lightning speed, secured an invite to yet another live hacking event.
When he’s not behind the screen hacking away, you can find @bitK traveling, meeting new people and trying new things at every corner. Read on to learn how he started in infosec and what keeps him motivated to keep hacking!
How did you come up with your HackerOne username?
When I was in high school, one of my friends wrote "Babar is the king" on one of my binders. Babar is an old French children’s book series where you follow the life of an elephant with the same name. 5 years later, I needed an username for my first CTF (nuit du hack), and I went with BitK. I've kept the name since then.
How did you discover hacking?
I started learning programming in my free time during high school. I started with some PHP and how to make a website with a MySQL database, and in the article I was reading they told me to use a specific function to prevent hacking. So I started wondering how to protect yourself from getting hacked but more importantly I wanted to know how hacking works. At the same time I was playing World of Warcraft with some friends, and I got very involved in the modding community. It taught me a lot about file structures and memory exploitation.
What motivates you to hack and why do you hack for good through bug bounties?
For me it's like playing a puzzle game and the rush you get when everything aligns. I see bug bounty like a CTF where you choose where the flag is. Right now I have less motivation to do bug bounty, I prefer to write tools to help others.
What makes a program an exciting target?
I don't really like wildcard scopes, I prefer a small well defined scope. One thing I really like about a program is when they set specific targets with a bonus. It helps me understand what is really valuable to them and it sets a clear goal.
What keeps you engaged in a program and what makes you disengage?
It's always the relationship with the triager. When I start a new program, I often report a first bug, and if the exchange goes well I keep hacking, if not I will start a new program.
How many programs do you focus on at once? Why?
Usually I work on a single program at a time, and I keep working on it until I feel like I've tested everything. After that I look for a new program. I keep all my Burp history and notes for all the BB I do, so when I find a new technique I want to go back to an older program, I still have everything.
How do you prioritize which vulnerability types to go after based on the program?
If there is a clear target I will go for it, if not I try to find what is really valuable for the program. Different programs have different priorities, you need to understand what the company is trying to protect with their bug bounty.
What do you wish every company knew before starting a bug bounty program?
That they will get breached, don't get upset when we find a big bug, you signed for it. It's way easier to find a bug than to write secure software, we are here to help, finding a bug is not an insult to your developers.
How do you see the bug bounty space evolving over the next 5-10 years?
2020 has taught me not to make 5 years predictions anymore.
How do you see the future of collaboration on hacking platforms evolving?
Collaboration is the best way to do bug bounty In my opinion. You often need a large set of skills to successfully exploit a target, and you can't possibly know everything. Working with multiple people allows you to extend the scope of knowledge for everyone involved.
Do you have a mentor or someone in the community who has inspired you?
I don't really have a mentor, but I have a lot of friends I started hacking with. Being with people with the same skill level is also a good way to learn. We had different skills and we were all learning new stuff at the same time and challenging each other. It creates a space where we all grow together. So shout out to the CTF team Hexpresso.
What advice would you give to the next generation of hackers?
Understand what you are doing, stop using magic payloads.