After sanctions were imposed on Russia and Belarus after Ukraine’s invasion, the CISO of HackerOne, Chris Evans, apologized to Ukrainian hackers for blocking their bug bounty payouts.
Bug bounty platform, HackerOne is blocking the bug bounty rewards, in some cases thousands of dollars, and rejecting the Ukrainian hackers to withdraw their earnings.
Following the Russian invasion of Ukraine in late February, HackerOne has blocked payouts to several hackers and researchers with affected HackerOne accounts due to all the economic sanctions and export controls that are imposed; however, all these imposed sanctions are not applicable to them.
In this event, HackerOne notified all the bounty hunters from Ukraine, Russia, and Belarus that all their transactions had been paused.
Apart from this, one of the Belarusian hackers claimed from its Twitter handle “xnwup” that “HackerOne took $25k from me because I am a Belarusian citizen.”
Here’s what HackerOne stated:-
“Due to current economic sanctions and export controls, if you are based in Ukraine, Russia, or Belarus, all communications and transactions (including swag shipping) have been paused for the time being.”
The HackerOne bug bounty program paid out more than $107 million in 2020 alone to all eligible bounty hunters. However, here the most vital point, in this case, is the dependency of several security researchers on their earnings to support their families.
Roleplay of HackerOne CEO
Earlier this week, HackerOne CEO Mårten Mickos brought up the freeze of Ukrainian accounts on the bug bounty platforms, saying that all rewards for hackers from sanctioned areas would go to UNICEF.
However, later, he deleted his tweet and published a new tweet in which he claimed that he misspoke the above statement, as he intended to say:-
“We re-route hacker rewards to donations only on specific instruction by the hacker.”
But, the CISO of HackerOne, Chris Evans, has published an official apology statement:-
“On behalf of the HackerOne team, I’d like to apologize to the Ukrainian hacker community for the frustration and confusion that our poor communication has caused. We have not (and will not) block lawful payments to Ukraine.”
Moreover, after this incident, HackerOne’s CISO, Chris Evans, also asserted that they would publish a FAQ page within 24 hours to brief this incident in detail.