Amid continued interference from Russia, some ethical hackers in Ukraine have been left bewildered as bug bounty platform HackerOne has allegedly withheld their payments. Losses due to the sudden stop are said to have reached hundreds of thousands of dollars. Some affected ethical hackers – also known as cybersecurity researchers – have taken the issue to social media. Some of them also wrote to the platform to find out why it stopped their payments amid the country’s humanitarian disaster.
Ethical hackers typically report flaws in various Internet-based solutions through bug bounty platforms, and are paid anywhere from tens, hundreds to millions of dollars in rewards. However, HackerOne is said to have suddenly stopped paying some Ukrainian hackers.
Earlier this month, HackerOne CEO Marten Mickos Announce“[A]As we work to comply with the new sanctions, we are canceling all programs for customers in the occupied territories of Russia, Belarus, and Ukraine. “On Monday, he clarify The restrictions are for sanctioned regions – Russia and Belarus, without mentioning any clear details about Ukraine’s status.
“This is a very strange situation,” said Bob Diachenko, an independent security researcher who has been associated with the San Francisco, California-based platform for the past two or three years.
HackerOne stopped paying around $3,000 (roughly Rs 2,30,000) worth of bounties for the vulnerabilities he reported, the security researcher tweeted on Sunday.
In addition to stopping payments, HackerOne also removed its “cleared” status from all Ukrainian accounts. This status essentially allows ethical hackers to participate in private programs run by multiple companies to earn at least $2,000 (approximately Rs 1,53,100) for high severity vulnerabilities or $5,000 (approximately Rs 3,82,800) for critical exploits. It requires background checks on researchers to participate in the listed projects.
@hacker0x01 Just to make sure we’re on the same page
Ukraine is not sanctioned
This is the country that Russia invaded
Please stop making life more complicated for Ukrainians
— Metnёw (@vladimir_metnew) March 14, 2022
“HackerOne is a major source of income for me and many other researchers,” said independent security researcher Nick Mykhailyshyn. “Even stopping payments for a few weeks puts many people at risk.”
Mykhailyshyn wrote to HackerOne’s support team to find out if his payments were wrongly blocked and if the “cleared” status was accidentally removed. He shared a screenshot with TechnologyShout, and the team’s response said the company was “exploring options available to restore background check updates and get you back to clear, pending updates.”
The response also stated, “We recognize this is very frustrating to you, and we are working to address and ensure that we comply with U.S. economic sanctions and export controls.”
When the initial restrictions were announced earlier this month, HackerOne announced a donation of $25,000 (approximately Rs 19,14,300) to the United Nations Children’s Fund (UNICEF), with plans to match the donation to a dollar of up to up to $100,000 (approximately Rs 76,57,300) to support the war-affected Ukrainian people for the next three months.
On Monday, HackerOne CEO Mickos also said the company was conducting additional screening of hackers under sanctions rules.
“The wording of sanctions covers a wide range of financial and commercial areas. They were not written with ethical hacking in mind. They are also updated frequently. Interpreting sanctions is complex. We have internal and external experts working on it,” Mikos Sayadding that he apologised for the delay and inconvenience caused by the hack on the platform.
However, the executive did not provide any clarity on whether the compensation earned by the Ukrainian researchers was intentionally disabled.
TechnologyShout has reached out to HackerOne for comment on this matter and will update this article when the company responds.
HackerOne is one of the most popular bug bounty platforms among ethical hackers worldwide. According to the company’s internal report, in 2020 alone, it has more than 1 million registered hackers who have collected a total of $40 million (approximately Rs. 306 crore).