Ukrainian hackers and safety researchers say bug bounty platform HackerOne is withholding their bug bounty rewards, in some instances 1000’s of {dollars}, and refusing to let hackers withdraw their earnings.
A number of hackers and researchers with affected HackerOne accounts mentioned in tweets that HackerOne is obstructing payouts, citing financial sanctions and export controls following the Russian invasion of Ukraine in late February, however that the sanctions don’t apply to them.
“In case you are primarily based in Ukraine, Russia, or Belarus all communications and transactions (together with swag transport) have been paused in the meanwhile,” in accordance with an electronic mail from a HackerOne help consultant to safety researcher Vladimir Metnew, which he tweeted out. Metnew, who’s Ukrainian however at the moment within the European Union, instructed Avisionews that his account is frozen. “I believe they blocked funds for everybody who registered from Ukraine,” Metnew mentioned.
Bug bounty firm HackerOne acts as an middleman between the hackers and safety researchers who discover and report safety bugs and the businesses that ask for assist fixing their services and products. In 2020, HackerOne paid out greater than $107 million in bug bounty rewards to researchers, lots of whom depend on their earnings as a supply of earnings.
Different hackers and researchers who’re nonetheless in Ukraine are reporting comparable circumstances, that their accounts are frozen or that they can not withdraw funds. Bob Diachenko, a Ukrainian safety researcher whose findings have been periodically reported on Avisionews, mentioned in a tweet that he had $3,000 in earnings since February at the moment withheld from his account.
The transfer to dam payouts throughout Ukraine has been met with anger and confusion, and with none obvious official communication from the bug bounty firm. It’s not clear what sanctions or export controls HackerOne is referring to. The U.S., the European Union and a number of other different allied nations have imposed stiff financial sanctions towards Russia and Belarus, in addition to an embargo on territory within the jap Donbas area of Ukraine at the moment held by separatist teams and Crimea, which was annexed by Russia in 2014. However Ukraine isn’t topic to these sanctions.
One affected Ukrainian hacker who goes by the deal with kazan71p mentioned in a tweet that they’re “not from Crimea or Donbas … you simply suspended all Ukrainian accounts, you simply put the entire nation below sanctions,” referring to HackerOne.
HackerOne has not mentioned why it blocked payouts to Ukrainian hackers and researchers or cited the particular sanctions it believes apply. When reached a number of hours earlier than publication, a HackerOne spokesperson was unable to right away remark or reply our questions. Avisionews will replace if and once we study extra.
The account freezes appeared to come back into impact across the time that HackerOne chief government Marten Mickos mentioned in a since-deleted tweet thread that HackerOne would “re-route” earnings for hackers dwelling in sanctioned nations — notably Russia and Belarus — to charity since sanctions forestall the corporate from transacting with these residents.
One hacker, who goes by the deal with xnwup, mentioned HackerOne is taking $25,000 in earnings “as a result of I’m a Belarusian citizen.” The hacker, who expressed their help for Ukraine however feared for his or her security attributable to talking out towards the Belarusian regime, mentioned their earnings have been the “results of years of laborious work.”
Mickos recanted his feedback about re-routing funds in a new tweet thread, now providing to donate hackers’ rewards solely with their permission.
Learn extra on Russia’s invasion of Ukraine:
