Ukrainian hackers and security researchers say the bug-bounty platform HackerOne is withholding their bug-finding bounties, in some cases running into the thousands of dollars, and preventing hackers from withdrawing their earnings.
Several hackers and researchers with affected HackerOne accounts have tweeted that HackerOne is withholding payments, citing economic sanctions and export controls following Russia’s invasion of Ukraine in late February, but sanctions do not apply to them.
“If you are located in Ukraine, Russia or Belarus, all communications and transactions (including the transfer of swag) will be temporarily suspended,” says an email from HackerOne support representative to security researcher Vladimir Metnev, who he tweetedI am Metnew, Ukrainian but currently living in the EU, informed gaming-updates that her account has been frozen. “I think they have blocked payments to everyone who is registered from Ukraine,” Metnew said.
Bug-finding company HackerOne acts as an intermediary between hackers and security researchers who find and report security bugs and companies who seek help fixing their products and services. In 2020, HackerOne paid out more than $107 million in bug bounty to researchers, many of whom rely on their earnings as a source of income.
Other hackers and researchers are still reporting similar circumstances in Ukraine where their accounts are frozen or unable to withdraw funds. Bob Dyachenko, a Ukrainian security researcher whose findings are published regularly on gaming-updates, said: on twitter That he had held $3,000 in his account since February.
The attempt to block payments across Ukraine was met with anger and confusion, and without any clear official communication from the bug tracking company. It’s unclear what restrictions or export controls HackerOne is referring to. The United States, the European Union and a number of other allies have imposed tough economic sanctions on Russia and Belarus, as well as Ukraine’s eastern Donbas, now occupied by separatist groups, and Crimea, which was annexed by Russia in 2014. But Ukraine does not fall under these sanctions.
Under the influence of a Ukrainian hacker who goes to the handle Kazan71p In a tweet, they said they were “not from Crimea or Donbass… you just blocked all Ukrainian accounts, you cleared the whole country,” referring to HackerOne.
HackerOne did not explain why it withheld payments to Ukrainian hackers and researchers, nor did it mention specific sanctions it believed were in place. Hours before publication, a HackerOne representative was unable to immediately comment or answer our questions. gaming-updates will be updated as we learn more.
The account ban went into effect around the time HackerOne CEO Marten Mikos said in a deleted tweet thread that HackerOne would “redirect” the earnings of hackers living in countries that are subject to sanctions, specifically Russia and Belarus. companies from transactions with these residents.
hacker who goes by the handle xnwup, said HackerOne was making $25,000 in revenue “because I’m a citizen of Belarus.” Hacker, who expressed his support for Ukraine but feared for their safety by opposing the Belarusian regime, said his earnings were the result of years of hard work.
Mikos withdrew his comments about the diversion of funds new tweet threadNow, only with their permission, the hacker offers to donate the prize.
Learn more about the Russian invasion of Ukraine: