Today, we see media shifting from the old dialogue once found around the term and embracing that hackers are there to help and are no longer the villains in this story. Hackers are finally starting to be viewed as superheroes that help fix vulnerabilities on the internet, making it a good place for everyone.
The term is not only redefined in the eyes of the public. Organizations have embraced security researchers and bug bounty hunters to find critical vulnerabilities as a core part of their security program. Even the nature of the hacker community is changing. Collaboration is heightened and is ingrained in the community more than ever. Crowdsourced security models and bug bounty platforms are sprouting, creating a new, more inclusive community that heightens diverse voices and perspectives.
Eric Head, known online as todayisnew took the bug bounty hunting community by storm. There was a time when everyone, at least once, saw a question on their Twitter feed that asked, “Who is todayisnew, and how is he doing it?”
Today, Eric redefines what it means to be a hacker with his beaming positivity, self-taught skills, sought-after automation, and advocacy for mindfulness and mental health awareness. Eric holds the spot as the best-ranked researcher on both HackerOne and Bugcrowd, recently crossing $2 million earned in bounties. We had the good fortune of chatting with Eric about how CodeCanCare, the automation of his everyday life, and the effect of his success on his outlook on life. We also learned a mindfulness practice that Eric thinks everyone can easily integrate into their lives and make it that much better.
SecurityTrails: The first question is one the entire internet has been asking for a few years now, how can Todayisnew be top 10 on all programs?
Eric Head: I was lucky to start early and have been at it for about six years. Each day I try to invest time into automating anything I need to do repeatedly, which I carry over from my personal life. When it’s possible, automation is a multiplier and the evolution of what I would be able to do on my own. It’s helped me stay focused and organized in every area of my life.
“In all parts of life, the joy you share with others is so much better than what you experience on your own”
ST: What was the most exciting bug you ever won?
Eric: They are all exciting in their own way! Probably the most memorable are the ones I have been able to find and share while collaborating with others. The team’s success at live events is pretty amazing. In all parts of life, the joy you share with others is so much better than what you experience on your own. Being able to share in the success of any great bug with others is at the top of my list.
ST: When did you start automating your entire workflow, how much of it is automated now, and can you share a bit about your stack and other important lessons in automation?
Eric: From day one, I aimed to automate my workflow. I was automating different payloads being sent to iOS apps when I first started because I had a newborn and not enough time to be in front of the machine all the time. Basically, if I do anything more than twice, I try to automate it to run on its own.
My stack, this might be the most unexpected. If it’s working, I don’t really want to change it up.
Visual Basic 6 is still my go-to language, but python and golang are slowly replacing it. Bash scripts, PHP, a little Ruby and Perl mixed in, and some Objective C. With that said, it’s constantly breaking! And having the composure to accept it, start new, and try again is key.
“The bounties afford me the opportunity to push myself less and let me give my loved ones the time and attention they deserve.”
ST: What kind of bugs have you automated?
Eric: I have gone on record before saying this, but most of my life is automated! Does that make me a bug? But seriously, 95% of my bug types are automated, from Subdomain Takeovers to scanning for Information Disclosures across the very open internet. The most challenging part is keeping track of all of the tooling I have written and knowing where to find it when it breaks.
ST: What questions do you ask yourself before starting a program? And what should the program offer for you to start?
Eric: Before starting a program, I tend to ask, “does this program offer financial compensation for the work provided?” In the past, I had invested time in programs that provided points only. I later shifted to programs that reward, as it did not make sense to spend my time and money to help companies who profit only for themselves. For programs related to non-profits/charities, I definitely consider them regardless of paying bounties or points.
ST: When you start on a program, do you hunt for specific vulnerability types, or? How do you approach a target?
Eric: I start with what I know and let my automation do most of the heavy lifting — depending on the scope, I might go in deeper manually if I have a hunch that I might be able to find something critical. But this varies from program to program.
ST: What advice would you give someone constantly finding dupes?
Eric: Using the same tools as everyone else is going to find the same bugs as everyone else, dupes happen.
I think to see dupes means you’re on the right track, but then try to bring your own unique skill set to explore deeper.
ST: How and where do you learn new skills and stay informed?
Eric: I try to read over disclosed reports as often as I can – I read through Twitter to read researchers findings, which will often make a light go off in my head and give me that “Eureka” moment, which I can then take and roll into my automation.
ST: When working full-time as a hunter and wanting to keep doing so, how do you make it fun? How do you keep something you do every day, maybe even forever, from stopping being enjoyable?
Eric: I make sure to do something new each day and connect with like-minded people.
ST: What is something about bug bounty hunting (community-wise and work itself) that you wish more people knew/spoke about?
Eric: A few things: It is a lot of hard work, and the time invested before you find the bug plays a large role. It is a combination of skills - finding bugs is one small part, but you need empathy and people skills to work with the humans on the other side of the screen. As well as the skills to write/communicate your report findings clearly.
There needs to be more talk about business aspects like taxes, cost of doing business, and investing back some of the bounties into services that support finding more bugs.
ST: Everything about you redefines what it means to be a hacker — no college, no training or certifications, wholesome, family-oriented, and a big advocate for mental health awareness. Tell us a bit about your principle of code can care.
Eric: The future of our planet is in a challenging spot. There is immense suffering by so many people at many different levels. With that in mind, I try to cause no harm in my actions. By my actions or the code I write, I hope to create less suffering and play a supportive role for those doing the hard work to address some of our worldwide challenges. Ideally, my work will give others a safe and secure online environment for their data and tools, so they can do the needed work.
ST: While on the topic of redefining what it means to be a hacker, how do you expect the public perception of hackers to change, and how do you think the community itself will change in the next few years?
Eric: Words are interesting. It is unrealistic to think we all use the same label or variables to define meaning. Hackers, love, or pain — we all have different meanings for each term.
I think the public and community perception of what a hacker means might be more towards what a hacker is not in the future. A hacker will no longer mean:
someone who causes harm
someone to be afraid of
someone you don’t want on your team
someone who is isolated and working alone
ST: As the king of automation, you said you automated your life just like you did for bug bounty hunting. How did you do that?
Eric: Out of necessity! I’ve struggled with focus (ADHD) and organization issues my entire life. With code, I was able to write upgrades for myself. I have software on my phone and PC that guides and supports me in what I need to get done.
Some good examples are, I have set the family TV to automatically lock when it’s time for bed and timed reminders on my phone to go for a walk. My children are also enjoying the benefits, as I code out tools for us. We have adventure games running on the TV that have guidance into mini-games of hide-and-seek, building forts, play kitchen, Barbies, happy songs, blocks, and tidying up. It’s amazing how code has been able to provide me that support.
ST: Congratulations on winning $2 million in bounties! Did your outlook on bug bounty hunting change from when you did it out of necessity to now, $2 million later, when you can allow yourself the luxury of not pushing as hard anymore (but still do)? What motivates you to continue hacking?
Eric: Thank you.
My outlook has changed, yes. In the past, there was debt, struggle, fear, and worry. It reminds me of the struggles others face, so I try to help others with any time I have, although I try to prioritize friends & family with the time I have to spare. The bounties afford me the opportunity to push myself less and let me give my loved ones the time and attention they deserve.
ST: How did your great success change your everyday life, and did it change your mindfulness practice?
Eric: My mindfulness practice has a similar focus both before and after my success. I’m grateful for the benefits the finances provide to help my life and family in so many ways, but there are still loss, worry, and pain for everyone to work at.
ST: And for the final question: Share one small mindfulness practice you think everyone can easily integrate into their life, maybe one that you found most helpful.
Eric: This might be a long read, but worth the 5 minutes, I promise!
Mindfulness develops a set of attention skills:
- Sensory clarity
- and Equanimity
Speaking firsthand from 17 years of practice, developing CC&E will end with more bugs, more bounties, and more happiness. Every minute you invest will get multiple returns on the time.
I’ll show you a proof of concept that will help explain the skills
Let’s call it the See/Hear/Feel Technique POC.
You can do it seated as well as in daily life. I like practicing See/Hear/Feel every 30 minutes while working. I stand up, walk, and free up my brain for about 10 minutes.
Here’s how you do it: First, we’re going to organize all life experiences into 3 categories. The categories are See, Hear, and Feel:
See includes what you see in the environment and what you see in your mind, such as daydreaming.
Hear includes what you hear in your environment and what you hear in your mind, like talking to yourself or getting a song stuck in your head.
Feel includes physical sensations and emotional feelings.
Each category, See, Hear, and Feel, also has restful states.
For example, you might notice that:
- i. you have no images in your mind, or
- ii. the room you’re in is silent, or
- iii. your body is relaxed.
So there’s inner and outer See/Hear/Feel:
- i. what you see in the world and in your mind,
- ii. what you hear in the world and in your mind, and
- iii. what you feel physically and emotionally.
And there’s active and restful See/Hear/Feel, such as:
- i. the quiet mind (restful) or inner dialogue (active),
- ii. emotional peace (restful) or active emotion,
- iii. not seeing anything in your mind’s eye, just a blank mental screen (restful) or seeing an image/images (active).
Here’s how to do the technique:
You’re going to notice where your attention goes, from moment to moment. You don’t need to have any particular kind of experience.
For example, it’s ok if you don’t detect emotions. That would be a restful emotional state.
You’re just focusing on whatever you happen to notice, whether it’s active or restful, inner or outer. It’s all good. When you draw your attention to an experience, decide whether it falls under the category of See, Hear, or Feel.
- i. If you’re looking at a tree, that’s See.
- ii. If you hear the “It’s A Small World” song in your mind, that’s Hear.
- iii. If you notice the silent room, that would also be Hear.
- iv. If you are anxious after you submit a report, see an alert pop, reward a great bug bounty that would be Feel.
The moment you identify the category, you can label it out loud or to yourself. The labels are See, Hear, or Feel. Whatever category it’s in, stay focused on the experience for a few seconds before moving on to the next one. If it happens to disappear, just let your attention move to something new. If you notice more than one sense category at the same time, such as hearing a fire truck and picturing it in your mind, pick one to focus on - Hear or See - it doesn’t matter which. If you notice the same experience more than once, it’s ok to repeat the label. Keep a steady pace with your labeling, not too fast or too slow. If you notice a lot of sensory activity, it’s ok to let some experiences go by without labeling them. Keeping a comfortable pace with your labels is more important than keeping track of every experience you detect.
Try to be open to your experience, whatever it is, pleasant or unpleasant, active or restful, inner or outer.
Doing this activity strengthens your skills. It can be for 5 minutes or 5 hours - all are good.
“By my actions or the code I write, I hope to create less suffering and play a supportive role for those doing the hard work to address some of our worldwide challenges.”
We hope that you have enjoyed this interview with Eric and that you have found his insights into mindfulness, automation and all things bug bounty hunting valuable. Positivity that Eric brings in every aspect of his life is valuable and inspiring for many, and we are glad we were able to highlight it in this interview.
Join Eric and many other bug bounty hunters that are using SecurityTrails to empower their toolstack. Gain access to the best data to improve your hunting with the Bug Bounty Hunter’s Toolkit!