During the day, Adrien Jeanneau, is a cybersecurity consultant. At night, behind the alias Hisxo, it is a "bug hunter": it tracks the faults of the websites of large companies or the State ... with their consent. Since Wednesday, he has been peeling the StopCovid application, whose launch is scheduled for Tuesday.
The 27-year-old young man from Rennes is one of about twenty ethical hackers handpicked to "pentester" - perform an intrusion test - this contact-tracing application supposed to help fight against the coronavirus.
"I started to take a look at the source code and try to spot small security weaknesses. There are some interesting leads," he says.
His first feat goes back to college, in 3rd. "Computers were loaned to students for the year, but they were scheduled to turn off at 10 p.m.", he rewinds. It only took him "a few days" to get around this limit and share the trick with his classmates.
For the past few years, he has been registered on the Yes We Hack (YWH) platform, a French company that organizes vulnerability research campaigns - called "bug bounty" - at the request of private or public customers.
"I like the legal side, it's reassuring. And then behind, there are rewards," he said. Each flaw uncovered receives a score of 0 to 10, which corresponds to a bonus paid to the hacker, set according to a price list. "My record is 15,000 euros," says Adrien Jeanneau.
A sum that can turn the heads of apprentice geeks but "we must not let people think that we can get rich", warns Lucas Philippe, alias "BitK", ambassador of Yes We Hack and "bug hunter". For StopCovid, the premiums have been capped at 2,000 euros and will be paid by YWH.
He first practices for "fun". "I'm in my room, in my pajamas, I legally attack boxes that are worth several million dollars and I find bugs in them. The balance of power is nice," laughs this Lyonnais.
- Burn-out -
"It's a game, it's curiosity, it's forbidden" that motivates Thibeault Chenut, 21. "And then I'm still a student, in a weekend and a few evenings I can afford a vacation".
He is impatiently waiting for the StopCovid application to be public. "I like what is done by the state because it affects everyone. I feel more useful."
In June 2019, he notably reported a flaw at France Connect, the digital identity solution that allows connection to official sites, including taxes or health insurance.
The State, via its interdepartmental digital department, thanked him in a letter, accompanied by an external computer battery, even though no "bug bounty" had been opened.
This "wild" hunt, which is occasionally carried out by ethical hackers without profiting from it, is also illegal: it is punishable by two years' imprisonment, up to five years when the victim is the State.
"When I do, I report it to Anssi (National Agency for Security of Information Systems), it proves my good faith. I have never had a problem, but I know that other + hunters + yes ", reports Léo Jorand, 24, alias Gromak123.
This cybersecurity consultant, however, never thought of becoming a "black hat", an outlaw who monetizes his hacks with blackmail. "I do this to protect people, in all kindness, I'm not trying to make money."
Clément Domingo, alias SaXx, confesses that it could have gone wrong: "I had the chance to come across people who were on the good side of force. 've gained experience, maybe I would use it to do devious things, loot and resell data. "
Today, this recognized cybersecurity expert of 29 years multiplies conferences and intervenes in engineering schools to raise awareness of future ethical hackers.
"The key word is self-denial. Sometimes spending six months, a year, without result. And not making it a full-time activity because to pay their bills, some people lock themselves in a vicious circle, until 'burnout', he warns.
© 2020 AFP