HackerOne Apologizes to Ukrainian Hackers for Mistakenly Blocking Payouts
Today, Chris Evans, the CISO of bug bounty platform HackerOne, apologized to Ukrainian hackers after erroneously blocking their bug bounty payouts following sanctions imposed on Russia and Belarus after Ukraine’s invasion.
The bounty hunters were informed of this in emails notifying them that all transactions to HackerOne accounts from Ukraine, Russia, or Belarus have been paused.
“Due to current economic sanctions and export controls, if you are based in Ukraine, Russia, or Belarus all communications and transactions (including swag shipping) have been paused for the time being,” an email received by Ukrainian hackers from HackerOne read.
The decision to freeze accounts for Ukrainians on the bug bounty platforms was also shared by HackerOne CEO Mårten Mickos via a now-deleted tweet saying that the company would re-route all rewards to UNICEF for all hackers from sanctioned areas.
Mickos later said he misspoke, adding that the bug bounty platform instead re-routes “hacker rewards to donations only on specific instruction by the hacker.”
However, following the unanimous outcry against the decision to freeze Ukrainian accounts, HackerOne backpedaled (or fixed their mistake) and restored the hackers’ accounts, allowing them to withdraw their earnings again.
Today, HackerOne’s CISO Chris Evans apologized for HackerOne’s misguided decision pinning it on poor communication and the blocked payouts on backend issues.
“On behalf of the HackerOne team, I’d like to apologize to the Ukrainian hacker community for the frustration and confusion that our poor communication has caused. We have not (and will not) block lawful payments to Ukraine,” Evans said.
“There have been some wobbles in backend payment systems. Our teams are working hard to minimize delays across all hacker payments. If you are in Ukraine and have any payment issues, I will personally support you. DMs open.”
Evans also added that HackerOne will publish a frequently asked questions (FAQ) page within 24 hours to share more information about what happened.
“Thank you to the hacker community for bringing these issues to light. We will fix our incorrect documentation, and I am reaching out to hackers individually. We always aim to be as transparent as possible, and will release a FAQ within 24 hours.”