Ukrainian hackers and security researchers say bug bounty platform HackerOne is withholding their bug bounty rewards, in some cases thousands of dollars, and refusing to let hackers withdraw their earnings.
Several hackers and researchers with affected HackerOne accounts said in tweets that HackerOne is blocking payouts, citing economic sanctions and export controls following the Russian invasion of Ukraine in late February, but that the sanctions don’t apply to them.
“If you are based in Ukraine, Russia, or Belarus all communications and transactions (including swag shipping) have been paused for the time being,” according to an email from a HackerOne support representative to security researcher Vladimir Metnew, which he tweeted out. Metnew, who is Ukrainian but currently in the European Union, told TechCrunch that his account is frozen. “I think they blocked payments for everyone who registered from Ukraine,” Metnew said.
Bug bounty company HackerOne acts as an intermediary between the hackers and security researchers who find and report security bugs and the companies that ask for help fixing their products and services. In 2020, HackerOne paid out more than $107 million in bug bounty rewards to researchers, many of whom rely on their earnings as a source of income.
Other hackers and researchers who are still in Ukraine are reporting similar circumstances, that their accounts are frozen or that they cannot withdraw funds. Bob Diachenko, a Ukrainian security researcher whose findings have been periodically reported on TechCrunch, said in a tweet that he had $3,000 in earnings since February currently withheld from his account.
The move to block payouts across Ukraine has been met with anger and confusion, and without any apparent official communication from the bug bounty company. It’s not clear what sanctions or export controls HackerOne is referring to. The U.S., the European Union and several other allied nations have imposed stiff economic sanctions against Russia and Belarus, as well as an embargo on territory in the eastern Donbas region of Ukraine currently held by separatist groups and Crimea, which was annexed by Russia in 2014. But Ukraine is not subject to those sanctions.
One affected Ukrainian hacker who goes by the handle kazan71p said in a tweet that they are “not from Crimea or Donbas … you just suspended all Ukrainian accounts, you just put the whole country under sanctions,” referring to HackerOne.
HackerOne has not said why it blocked payouts to Ukrainian hackers and researchers or cited the specific sanctions it believes apply. When reached before publication, a HackerOne spokesperson was unable to comment or answer our questions, including what sanctions it believes apply.
Provided after publication, HackerOne chief technology officer Alex Rice told TechCrunch that bounty payouts are to resume shortly.
“We actively support Ukraine’s fight for freedom and have no intention of restricting bounty payments to Ukrainian hackers. I’m truly sorry for the stress caused here, and am committed to getting things back up and running as quickly as possible,” said Rice. “When the Biden administration announced financial sanctions against the two occupied regions of Ukraine, we immediately began work to ensure that no bounties were inappropriately issued to those sanctioned regions. This has created a delay in the processing of payments for some hackers in this region that the team is actively working to resolve. This delay pains me and I am personally committed to seeing all bounty processing resume within the week.”
The account freezes appeared came into effect around the time that HackerOne chief executive Marten Mickos said in a since-deleted tweet thread that HackerOne would “re-route” earnings for hackers living in sanctioned countries — notably Russia and Belarus — to charity since sanctions prevent the company from transacting with those residents.
One hacker, who goes by the handle xnwup, said HackerOne is taking $25,000 in earnings “because I am a Belarusian citizen.” The hacker, who expressed their support for Ukraine but feared for their safety due to speaking out against the Belarusian regime, said their earnings were the “result of years of hard work.”
Mickos recanted his comments about re-routing funds in a new tweet thread, now offering to donate hackers’ rewards only with their permission.
Updated with comment from HackerOne.