Bug bounty platform HackerOne has apologised after freezing payments to Ukrainian hackers and saying bounties claimed by hackers in sanctioned countries would be donated to charity – but hackers in Russia and Belarus still face frozen pay-outs. The decision comes after Ukrainian hackers took to social media to share emails from HackerOne stating payments to hackers “based in Ukraine, Russia or Belarus” had been “paused” – many emphasising with some frustration the obvious fact that Ukraine had not been sanctioned.
HackerOne CEO Mårten Mickos also faced a backlash when he said in a now-deleted tweet that bounties earned by hackers in sanctioned countries would instead be donated to charity. The firm has now clarified its stance and apologised for its communication – but is still holding pay-outs for Russian and Belarusian hackers. Other bug bounty platforms such as Intigriti and BugCrowd have also frozen payments to hackers in those countries.
HackerOne apologises, blames sanctions
However, none of the firms have yet responded to questions on exactly which sanction provisions are preventing them from paying bug bounties to hackers. Mickos said in a tweet the sanctions are “complicated”.
Given hackers who report flaws to bug bounty programmes are arguably performing a public service – and could alternatively sell their discoveries to criminal gangs such as Russia-based Conti – critics of the decision say that it seems perverse to block payments to them and creates incentives for public disclosure or worse.
See also: As exploits fetch $$$ underground, where’s VMware’s bug bounty programme?
Other companies based in the US and Europe have continued to do business with Russia and Belarus, and one Belarusian hacker, who raised the issue of frozen payments, noted only a few banks in the country have been removed from the SWIFT international payment system; others are open for business.
In a statement emailed to The Stack, HackerOne CISO Chris Evans, said: “On behalf of everyone at HackerOne, I am truly sorry for how our poor communication has caused confusion and undue stress for the Ukrainian hacker community. We have not, and will not, block lawful payments to Ukrainian hackers.
"We actively support Ukraine's fight for freedom.”
He confirmed there had been “delays” of payments to hackers in Ukraine but said the company was working to fix this. He also confirmed the company is holding on to payments for hackers in Russia and Belarus.
“We are not automatically donating any bounty payments to UNICEF or any other charity. We donate hackers’ rewards to charity only on their instruction. We apologize that we made an error in our original communication. We have changed our default Hack for Good charity to UNICEF and encourage donations of rewards (or a portion of a reward) as one way of helping relief efforts,” said Evans (emphasis his).
Belgium-based bug bounty platform Intigriti has also halted payments to hackers in Russia and Belarus, according to a statement on its website. But Intigriti says this is more a logistical issue than one of sanctions preventing them from making payments.
Stijn Jans, the firm's CEO of Belgium-based Intigriti told The Stack in an emailed comment: "Our platform supports bounty payments through wire transfer and PayPal. Following Swift and Paypal suspending their operations in impact regions, we can no longer guarantee that payments we would make to impacted accounts will actually be received by the relevant researcher. Consequently, we have decided not to process any payouts for the time being, to accounts of which we expect could be impacted.
"Where we are able to issue payment, in a legally compliant manner, we will still strive to do so. However, our platform does not support non-traceable payout methods such as cryptocurrencies and because of the rapidly evolving situation, we are not proactively exploring any additional payment options for the time being."
The firm's statement said hackers in Belarus and Russia could continue submitting bugs through its platform, but should expect any bounties to be held.
“If we are unable to pay a bounty payment to which a researcher would be entitled under a program, the bounty payment will be withdrawn from the program’s budget and reserved by Intigriti for a minimum of two calendar years or until the situation changes and the payment can be made,” said Intigriti in the statement.
“If you are a researcher and do not agree with this, we politely ask you to refrain from participating in programs on our platform temporarily. By continuing to participate in any of our programs, you are considered to accept the hereabove described approach.”
Another bug bounty platform, Bugcrowd, also told The Stack: "In Ukraine, Russia and Belarus, even where not subject to embargo, there may be disruptions in the near and long term regarding doing business in the region and/or sending payments from Bugcrowd to its security researchers. Bugcrowd is required to comply with all bank requirements and US embargoes (e.g. DPR, LPR and Crimea) and no business can be conducted there.
"That said, if we cannot pay security researchers in these areas their earned rewards, we can pause their payments on the Bugcrowd platform and hold on transferring out their funds until we’re able to transfer them at a later date."