1. Who is Kuromatae ?
Anthony Bouvet, 26 years old, full-time Bug Hunter !
2. How did you start hacking ?
When I was 12 years old, I realized that I could hack video games to win. I found my first “vulnerability” by manipulating the hexadecimal code of the game Slayers Online. I managed to hide my character from the game, to avoid my opponents’ attacks.
After studying at Ecole 42, I worked during 6 months for a cybersecurity company. But I quickly realized that I wanted to be independent, and Bug Bounty seemed to be the best way to increase my knowledge in security. It’s important to know that a hunter will not submit a vulnerability that he can’t exploit. He will have to challenge himself, and to develop enough technical skills to access the vulnerability, and therefore win his bounty.
3. Did you notice an evolution since you started bug hunting?
Of course ! In 2013, I won my first bounty on the platform BugCrowd, after finding a cross-site scripting vulnerability on a website. Back then, you couldn’t subscribe as a hunter, since BugCrowd was just a platform listing websites with various scopes to test; You pentested one of the listed-website, sent your findings directly to the email address given by the company, and got your reward.
Platforms – and rewards, considerably evolved ! Since its creation in France, 3 years ago, Yogosha released a lot of innovative features for hunters and companies. The price widget, for instance, evaluates the criticality and cost of a vulnerability, based on the company’s background.
This feature helps hunters to be fairly compensated, and allows companies to rely on highly-motivated and qualified hunters.
4. Which bugs do you prefer to hunt ?
Mobile apps, because you can do funny things with them. One day, I tested a mobile app, and realized that by sending requests, you could changer the user’s interface in realtime !
5. Which advice would you give to companies who work with bug hunters ?
I believe that reactivity is the most important part. I’m not necessarily talking about getting paid quickly, but letting hunters know how the program is going is essential.
Sometimes, if the company is really understanding and considers that the report adds value to its security, it can pay for a duplicate. Honestly, this happens rarely,
6. How do you think Bug Bounty will evolve ?
I think that Bug Bounty will become mostly private. Public bug bounties are too much exposed. If a malicious hacker sees an opened program for a company, he could be tempted to harm it.
It’s also more interesting for hunters to be invited to private programs. On public platforms, some new researchers write 2-lines reports when they find a vulnerability. They will receive their compensation, but will not be judged on their report’s quality.
I also believe that companies will tend to grow their teams to manage programs, with at least one employee dedicated to Bug Bounty. And the current trend makes me think that rewards will keep increasing, since companies are way more receptive to our work.
7. Where do you see yourself in the future ?
I would like to start a pentest business. At first, I will be doing pentest in freelance, while keeping my Bug Hunter activity. Then, I would like to open my own business, and employ people. I would also like to keep raising awareness around cybersecurity. I recently wrote an article for SFR Numéricable talking about the risk of putting personal data on internet.
8. What does Kuromatae mean ?
Nothing ! I wanted a cool name which didn’t exist and was easy to pronounce. And I was curious to see how it would evolve in Google search results.