Ethical hackers look for vulnerabilities in companies for money. Raphaël Arrouas is one of them. The most important thing is not to give up.
“Anyone who knows how vulnerable our IT systems are starts to worry”: The ethical hacker Raphaël Arrouas, known as “Xel”, in his study.
Hardly anyone knows him. He shies away from public appearances. And yet he is one of the best hackers in Switzerland: Raphaël Arrouas, known in the scene under his pseudonym “Xel”. For a good three years he has made a living from hacking into companies and penetrating their IT systems. He does this in his home office, from his family apartment in the hills near Zug.
Arrouas is not a criminal hacker. He is a bug bounty hunter, a «bounty hunter of IT vulnerabilities». He scans companies’ servers and websites for vulnerabilities – on his own, but with their permission. If he finds a backdoor, he reports it and gets a bonus for it.
Arrouas is good at what he does. On the large European bug bounty platform YesWeHack, it currently occupies fifth place in the internal ranking. Last year he was even the fourth best vulnerability hunter on the platform. He has made a name for himself and is invited to selected programs. For example, when the federal administration carried out a pilot project last year and searched for gaps with bug bounty hunters.
Big tech companies like Google have had bug bounty policies for years. In this way, they regulate the case that a security researcher with good intentions finds a vulnerability that criminals could exploit. Because it is in the interest of companies that ethical hackers report these errors – called bugs. So the gap can be closed, the security will be better.
In Switzerland, more and more companies have been using this concept in recent months to increase the security of their IT systems. At the beginning of August, the federal government decided to set up its own program for the administration in Bern together with the Swiss platform Bug Bounty Switzerland. The decision could give the issue of bug bounty an additional boost.
Those who are well-known can access lucrative programs
Arrouas took a gamble when he decided to go full-time as a bug bounty hunter in early 2019. “In Switzerland it’s difficult to live off a bug bounty,” he says. The cost of living is high, and if you want to earn as much as with a regular job, you have to be among the best internationally. That’s why the competition from India and Eastern Europe, where life is cheaper, is great.
In addition, there is no guaranteed income: the companies only pay if they are successful. “That’s why it’s an advantage if you have a little money set aside,” says Arrouas. Then it’s not so bad if you don’t find a bug for a week.
Arrouas now belongs to the circle of ethical hackers from Bug Bounty Switzerland. This is a Swiss platform that organizes bug bounty programs for companies. Arrouas takes part in temporary pilot projects that companies can use to test the concept.
Arrouas prefers such closed programs. These are not open to all hackers worldwide, but only to a selected group that is invited. The small size of Switzerland benefits him. Anyone who has made a name for themselves here can access the more lucrative programs, for which in some cases only people from Switzerland are deliberately admitted. In these cases, according to Arrouas, the premiums are comparatively high.
Arrouas doesn’t want to go into details. Discretion is important to him. He does not say which products he has already found weaknesses in and how serious they were. The only thing is that, in addition to the federal government, he also looked for security gaps at the University Hospital of Zurich, the canton of Vaud and Swisscom. And: “Today I earn better than I used to with a permanent position in the field of cyber security.”
In the hot phase he can hardly stop
Arrouas is 30 years old and a family man. He lives with his wife and young daughter in an unspectacular apartment with a beautiful view. A room is reserved for his work. There is order in it: lockable cupboards, a whiteboard for notes and next to it the desk with several screens. The computer behind it has plenty of RAM for the virtual computers and a powerful graphics card to crack passwords. The black and red leather office chair with headrest is an eye-catcher.
This is the room Arrouas retreats to when he’s hunting for security holes. At the beginning of each program, the competition is fierce. “Then I can’t stop and eat in front of the computer,” he says. It’s about being the first to report a vulnerability – otherwise there’s no reward. “Only when I’ve gone through the obvious options and tried out my own ideas do I take a break.”
Concentration is important in his work. “I have to get myself into a state where I’m completely focused on the goal,” says Arrouas. In the past, he often worked all night to do this. Since he had a daughter, he can no longer do that.
In the first step, Arrouas has to understand how the application works, what technologies it uses and what data it exchanges. Then creativity is required. Arrouas says: “The most important skill as a bug bounty hunter is not to give up.” The technical knowledge, on the other hand, can be acquired – also with instructions on the Internet.
Arrouas is an engineer by training, grew up in southern France. After his studies, he started working as a pen tester for a Vaud cybersecurity company. In pen tests, an external company is commissioned to gain access to an IT system in order to improve security. So the task is similar to the bug bounty, but deeper and less broad. In addition, pen testing companies get paid even if they don’t find any vulnerabilities.
He would never use Whatsapp
Once you have started dealing with IT security, you often become more cautious in everyday life. Arrouas even says he’s a bit paranoid. «Anyone who knows how vulnerable our IT systems are starts to worry.» At the beginning of his time as a pen tester, he saw what his colleagues could do on a public online service. “I was shocked.”
This experience has a concrete impact on everyday life. Arrouas doesn’t use Twitter, encrypt the data on his hard drives, or use a password manager for complex passwords he can’t remember himself. And he monitors his computer’s network connections – like big companies do, for example, to detect attacks.
He avoids so-called “smart” devices in everyday life. His car is not connected to the internet. He doesn’t want a microphone on his TV remote control. And he would never use Whatsapp. “Basically, I try to keep my presence on the Internet as small as possible,” says Arrouas. Not everything can be secured, but the risk can be reduced.
He gave up a career to be self-employed
Arrouas used to play computer games a lot. Maybe his pseudonym “Xel” comes from it. But he doesn’t want to reveal that. “Not even my wife knows where the name comes from.” Today he has less time for gaming – not only because of his daughter. He plays sports, looks after his health. Sometimes he still plays a retro game from the early 2000s.
The step from employed pen tester to independent bug bounty hunter brought many advantages for Arrouas. He can work from home and organize his working hours flexibly. Previously, he was more in the role of a consultant, the dress code was a suit. Now he can focus on the technical aspects.
The freedom he has won comes at a price. “It’s a special way of life without a stable income,” says Arrouas. And even today he sometimes has to be careful not to work too much. But he likes independence. “I used to want to have a career,” he says. He renounced that. “But I have a job that brings great satisfaction.” It’s like a treasure hunt, he says and laughs: “Only less dangerous.”