Ukraine Ethical Hackers Bewildered as HackerOne Bug Bounty Platform Said to Halt Their Payouts

Amid the ongoing disruption from Russia, some ethical hackers in Ukraine are feeling lost as bug bounty platform HackerOne has allegedly withheld their payouts. The loss due to the sudden halt is said to have mounted to hundreds and thousands of dollars. A few of the affected ethical hackers — also known as cybersecurity researchers — have taken the issue to social media. Some of them have also written to the platform to get clarity on why exactly it has disabled their payments in the middle of the humanitarian catastrophe in the country.

Ethical hackers normally earn payouts ranging from tens and hundreds to over millions of dollars in the form of rewards through bug bounty platforms for reporting flaws in various Internet-based solutions. However, HackerOne is said to have suddenly stopped payouts for some Ukrainian hackers.

Earlier this month, HackerOne CEO Marten Mickos had announced, “[A]s we work to comply with the new sanctions, we'll withdraw all programmes for customers based in Russia, Belarus, and the occupied areas of Ukraine.” On Monday, he clarified that the restrictions were for sanctioned regions – Russia and Belarus, not mentioning any clear details about the status of Ukraine.

“That's a really weird situation,” said independent security researcher Bob Diachenko, who has been associated with the San Francisco, California-based platform for the last two–three years now.

The security researcher tweeted on Sunday that HackerOne stopped paying bounties worth around $3,000 (roughly Rs. 2,30,000) for the flaws he reported.

Alongside stopping payouts, HackerOne has removed its ‘Clear' status from all Ukraine accounts. The status essentially allows ethical hackers to participate in private programmes run by various companies to earn a minimum of $2,000 (roughly Rs. 1,53,100) for a high-severity vulnerability or $5,000 (roughly Rs. 3,82,800) for a critical one. It requires background-check for researchers to participate in the listed programmes.

“HackerOne was the primary source of income for me and many other researchers,” said independent security researcher Nick Mykhailyshyn. “Stopping payments even for a few weeks can put many people at risk.”

Mykhailyshyn wrote to the support team at HackerOne to understand whether his payouts were mistakenly blocked and the ‘Clear' status was accidentally removed. He shared a screenshot with Gadgets 360 where the team is seen responding by saying that the company was “exploring available options to reinstate a background check update and reinitiate you into Clear, pending updated results.”

The response also noted, “We recognise that this is extremely frustrating for you and we are working diligently to resolve and ensure that we adhere to the US economic sanctions and export controls.”

Another hacker, Vladimir Metnew, shared a screenshot of a HackerOne support email sent to him, which said all communications and transactions have been paused to those based in Ukraine, Russia, and Belarus.

At the time of announcing the initial restrictions earlier this month, HackerOne announced a donation of $25,000 (roughly Rs. 19,14,300) to United Nations Children's Fund (UNICEF) and planned to match donations dollar for dollar up to $100,000 (roughly Rs. 76,57,300) for the next three months to support people in the war-affected Ukraine.

On Monday, HackerOne CEO Mickos additionally said that the company was running hackers through additional screening based on sanction rules.

“Sanctions are worded to cover broad areas of finance and business. They were not written with ethical hacking in mind. They also are updated often. Interpreting sanctions is complicated. We have internal and external experts working on it,” Mickos said, adding that he apologised for the delay and the inconvenience caused to the hackers on the platform.

The executive, however, did not provide any clarity on whether the earned payouts of Ukrainian researchers were disabled intentionally.

Gadgets 360 has reached out to HackerOne for a comment on the matter and will update this article when the company responds.

HackerOne is one of the popular bug bounty platforms among ethical hackers around the world. It has over one million registered hackers on board that received a total of $40 million (roughly Rs. 306 crore) in 2020 alone, according to the company's internal report.