Platform apologizes for ‘poor communication’ over bug bounty payouts
HackerOne has denied it is blocking payments to Ukrainian bug bounty hunters after hackers in the country were denied access to money earned through the platform.
The bug bounty platform drew criticism this week when users based in Ukraine reported that they were blocked from retrieving funds held in their accounts.
Multiple bug bounty hunters posted online that their accounts were no longer accessible as speculation grew that they had been incorrectly affected by worldwide government sanctions placed on Russia and Belarus.
Read more of the latest security news from Ukraine
Vladimir Metnëw shared screenshots of emails from HackerOne which stated he had been revoked access due to “economic sanctions” in his region.
Metnëw, a Ukrainian national, was just one of a number of Ukrainian researchers who also said that their access to funds had been denied.
HackerOne claimed that the issue was due to “delays in backend payment systems” and said that access has been restored.
Metnëw wrote in an update that he had regained control, tweeting: “Seems like H1 [HackerOne] finally allowed me (and I hope other Ukrainian hackers too) to take money out of H1.”
‘Poor communication’
In a statement sent to The Daily Swig, Chris Evans, chief hacking officer and CISO at HackerOne, said that payments have not been blocked and blamed the confusion on “poor communication”.
Evans said: “On behalf of everyone at HackerOne, I am truly sorry for how our poor communication has caused confusion and undue stress for the Ukrainian hacker community.
“We have not, and will not, block lawful payments to Ukrainian hackers. We actively support Ukraine’s fight for freedom.
“There have been delays in backend payment systems for some Ukrainian hackers. This situation was then understandably conflated with generally inaccurate communications to hackers. Our teams are working to minimize these delays.”
Sanctions
The temporary suspension of access to funds held by Ukrainian hackers comes after bug bounty hunters in Russia and Belarus were blocked from using HackerOne due to financial sanctions placed on the countries following the invasion of Ukraine.
In a now-deleted tweet, HackerOne CEO Mårten Mickos claimed that money held in accounts belonging to Russian and Belarussian hackers will be automatically donated to charity.
HackerOne backtracked on this statement, telling The Daily Swig that it is holding all reward payments for users in sanctioned regions.
Evans explained: “We are not automatically donating any bounty payments to UNICEF or any other charity. We donate hackers’ rewards to charity only on their instruction. We apologize that we made an error in our original communication.”
DON’T MISS Concerns raised over bug disclosure program aimed at tackling Russia’s ‘propaganda machine’
Mickos tweeted: “I misspoke. We re-route hacker rewards to donations only on specific instruction by the hacker. Additionally, we make our own donations to UNICEF from company funds. My apologies for stating this incorrectly in the tweet (#11) above.”
Evans also said that the platform has changed its Hack for Good charity to UNICEF and “encourages donations of rewards (or a portion of a reward) as one way of helping relief efforts”.
In his original tweet thread, Mickos confirmed that HackerOne is closing all bug bounty reward schemes in sanctioned countries but said it aims to keep vulnerability disclosures open, “rules and sanctions permitting”.
Mickos added: “Our goal is to never say no to valid vulnerability reports. These disclosures make the digital world safer.”
YOU MAY ALSO LIKE EU countries offer cyber-defense assistance to Ukraine
