Ukraine Ethical Hackers Bewildered as HackerOne Bug Bounty Platform Said to Halt Their Payouts

Amid the ongoing disruption from Russia, some ethical hackers in Ukraine are feeling lost as bug bounty platform HackerOne has allegedly withheld their payouts. The loss due to the sudden halt is said to have mounted to hundreds and thousands of dollars. A few of the affected ethical hackers — also known as cybersecurity researchers — have taken the issue to social media. Some of them have also written to the platform to get clarity on why exactly it has disabled their payments in the middle of the humanitarian catastrophe in the country.

Ethical hackers normally earn payouts ranging from tens and hundreds to over millions of dollars in the form of rewards through bug bounty platforms for reporting flaws in various Internet-based solutions. However, HackerOne is said to have suddenly stopped payouts for some Ukrainian hackers.

Earlier this month, HackerOne CEO Marten Mickos had announced, "[A]s we work to comply with the new sanctions, we'll withdraw all programmes for customers based in Russia, Belarus, and the occupied areas of Ukraine." On Monday, he clarified that the restrictions were for sanctioned regions - Russia and Belarus, not mentioning any clear details about the status of Ukraine.

“That's a really weird situation,” said independent security researcher Bob Diachenko, who has been associated with the San Francisco, California-based platform for the last two–three years now.

The security researcher tweeted on Sunday that HackerOne stopped paying bounties worth around $3,000 (roughly Rs. 2,30,000) for the flaws he reported.

Alongside stopping payouts, HackerOne has removed its ‘Clear' status from all Ukraine accounts. The status essentially allows ethical hackers to participate in private programmes run by various companies to earn a minimum of $2,000 (roughly Rs. 1,53,100) for a high-severity vulnerability or $5,000 (roughly Rs. 3,82,800) for a critical one. It requires background-check for researchers to participate in the listed programmes.

“HackerOne was the primary source of income for me and many other researchers,” said independent security researcher Nick Mykhailyshyn. “Stopping payments even for a few weeks can put many people at risk.”

Mykhailyshyn wrote to the support team at HackerOne to understand whether his payouts were mistakenly blocked and the ‘Clear' status was accidentally removed. He shared a screenshot with Gadgets 360 where the team is seen responding by saying that the company was “exploring available options to reinstate a background check update and reinitiate you into Clear, pending updated results.”

The response also noted, “We recognise that this is extremely frustrating for you and we are working diligently to resolve and ensure that we adhere to the US economic sanctions and export controls.”

Another hacker, Vladimir Metnew, shared a screenshot of a HackerOne support email sent to him, which said all communications and transactions have been paused to those based in Ukraine, Russia, and Belarus.

At the time of announcing the initial restrictions earlier this month, HackerOne announced a donation of $25,000 (roughly Rs. 19,14,300) to United Nations Children's Fund (UNICEF) and planned to match donations dollar for dollar up to $100,000 (roughly Rs. 76,57,300) for the next three months to support people in the war-affected Ukraine.

On Monday, HackerOne CEO Mickos additionally said that the company was running hackers through additional screening based on sanction rules.

“Sanctions are worded to cover broad areas of finance and business. They were not written with ethical hacking in mind. They also are updated often. Interpreting sanctions is complicated. We have internal and external experts working on it,” Mickos said, adding that he apologised for the delay and the inconvenience caused to the hackers on the platform.

The executive, however, did not provide any clarity on whether the earned payouts of Ukrainian researchers were disabled intentionally.

Gadgets 360 reached out to HackerOne for a comment on the matter, and its Chief Hacking Officer and CISO Chris Evans acknowledged delays in payments for some Ukrainian hackers.

"On behalf of everyone at HackerOne, I am truly sorry for how our poor communication has caused confusion and undue stress for the Ukrainian hacker community," Evans said in a prepared statement. "We have not, and will not, block lawful payments to Ukrainian hackers. We actively support Ukraine's fight for freedom. There have been delays in backend payment systems for some Ukrainian hackers. This situation was then understandably conflated with generally inaccurate communications to hackers. Our teams are working to minimise these delays."

The CISO also reiterated that HackerOne was not automatically donating any bounty payments to UNICEF or any other charity. "We donate hackers' rewards to charity only on their instruction," he said.

However, Evans' statement shared by HackerOne doesn't give any clarity on the sudden removal of the 'Clear' status for Ukrainian researchers.

On how it is addressing the revoking of the ‘Clear' status for Ukrainian researchers, HackerOne redirected Gadgets 360 to an FAQ page that says the Chief Hacking Officer is reaching out to resolve the issue and expedite the background screening for the status.

“Our 15 Ukrainian hackers with Cleared status received a poorly worded communication about additional background screening,” the FAQ page noted.

HackerOne is one of the popular bug bounty platforms among ethical hackers around the world. It has over one million registered hackers on board that received a total of $40 million (roughly Rs. 306 crore) in 2020 alone, according to the company's internal report.