Hacker Spotlight: Interview with todayisnew
Eric Head, otherwise known as @todayisnew on HackerOne, considers himself an AppHero. He defends your data by finding critical vulnerabilities before criminals can exploit them, hacking for good on platforms like HackerOne. He’s ranked number 1 on the all-time HackerOne leaderboard with a reputation of 71,078 as a result of over 3,572 vulnerabilities found. Globaleaks claims “Dude knows his stuff.” Another testament to his skills is the fact he has received 137 Thanks from companies such as Adobe, Verizon Media and PayPal.
In addition to being an amazing hacker, Eric’s positive attitude is infectious, and he channels this outlook and drive to advocate for mental health awareness. If you’ve ever interacted with him, you may remember him for his infamous sign off — “may you be well on your side of the screen,” his way to check in on those around him, and a reminder that we are stronger when we stand together.
Read on to discover what fuels this talented hacker to do his best and make the world a better, safer place.
How did you come up with your HackerOne username?
Years ago, bug bounties did not exist and I made a poor choice with my skills. It ended with a Legal Situation with Yahoo in 2004, and needed to make a new email account. The username came from me trying to focus on the positive in a difficult spot — that each day is new. “Todayisnew” became my email and a daily reminder through that difficulty and the other challenges of life since then.
How did you discover hacking?
I've always liked to see how things work. I think the first experience was a Renegade BBS system that you could do a path traversal bug ../../data.dat to access the system user file.
What motivates you to hack and why do you hack for good through bug bounties?
We are all in this together. A more secure Internet means protecting the sense of safety and trust for everyone on the planet.
What makes a program an exciting target?
A program that I use the services of myself is always exciting… Programs with a larger scope and of course those that reward well also help pump up the excitement.
What keeps you engaged in a program and what makes you disengage?
Interactions mean a lot — kind words, empathy and fair outcomes keep me engaged. As close as the Internet is, there is still a distance between us which allows for misunderstandings. The more words we can share, the more connected we are, which lessens the chance of misunderstanding and disengagement.
How many programs do you focus on at once? Why?
I try to focus on as many as I can. My research methods are 99% automated so the more programs I engage in, the more bugs I find.
How do you prioritize which vulnerability types to go after based on the program?
Time is the limiting factor for me to send in bugs. So for programs that reward more kindly, I tend to send them the higher impact bugs first.
How do you keep up-to-date on the latest vulnerability trends?
Twitter is a great resource for me. I also use the HackerOne Disclosed reports feed and the help of kind friends sharing their research, and working together to find new vulnerabilities.
What do you wish every company knew before starting a bug bounty program?
Please think of Hackers and Companies as being on the same side. Working together is what ensures the best outcome for all of us.
How do you see the bug bounty space evolving over the next 5-10 years?
It will be all about growth. From my own stats, there has been about 70% growth each year over the last four years. I also envision there would be more openness and trust in Hackers to share more data and help secure resources.
How do you see the future of collaboration on hacking platforms evolving?
I think there will always be some Hackers that want to work on their own. I was one for many years. Building trust overtime while collaborating with other Hackers, however, has been an amazing experience for me. Everyone brings unique skills, creativity, and resources into the process so the more we work together, the happier and more secure we all will be.
Do you have a mentor or someone in the community who has inspired you?
I can say the entire community has inspired me. From the first bug I sent into the HackerOne program, my first N/A, out of scope, and bounty on HackerOne there has been nothing but support and kindness. I’ve also been inspired by the live hacking events and all the good hackers I’ve met there in person.
What educational hacking resources do you wish existed that doesn't exist today?
I wish there were resources for dealing with burnout. I owe the success of my bug hunting and happiness in life to mindfulness meditation practice. I hope in the future, there would be more support allocated for addressing mental health on the platform. Maybe on the next N/A (there will always be another), there could be resources like "Web Hacking 101" and “Metal Health & Wellness 101”.
What advice would you give to the next generation of hackers?
It's hard work. If you're up for the task, it can be very rewarding. It is worth it because you’ll learn new skills, make great friends and connections, while also being financially rewarded for your time.
Do you have any message for the community?
I often sign off my interactions with ""May you be well on your side of the screen"" and I truly do feel that way. I strive to show compassion and love in my responses to people because each one of us is struggling with something. Having empathy makes all the difference when the other person is suffering. When people act out, oftentimes that’s a manifestation of their pain, so I love them from a place of compassion, while also not letting myself be abused. It’s important to always check in on the person who’s standing on the other side of the screen, especially during challenging times like these. At the end of the day, we’re all in this together.
The 8th Annual Hacker-Powered Security Report