Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT)

Sanctions Halt Rewards for Bug Hunters in Belarus, Russia

Researcher in Belarus Says Bug Bounty Through HackerOne Is Sole Income
Sanctions Halt Rewards for Bug Hunters in Belarus, Russia
Sanctions imposed over Russia’s invasion of Ukraine (flag pictured) have led to bug bounty programs withholding payments to some countries.

Sanctions levied against Russia and Belarus for the invasion of Ukraine are affecting security researchers in those countries who are signed up with bug bounty programs.

See Also: OnDemand I Remediate the Most Exploitable Vulnerabilities First and Fast

Some of the sanctions are directed at banks and financial institutions, and Western companies can no longer legally send payments. It means researchers who are due payments, which are often sent by a bank wire transfer, may not get paid until those sanctions are lifted.

The U.S., Europe and other nations have imposed a comprehensive set of sanctions against Belarus and Russia in retaliation for the invasion of Ukraine. Some occupied areas of Ukraine are also under sanctions. Countries are also pursuing the assets of Russia's oligarchs, a cadre of globe-trotting billionaires, some of whom have close ties to Russian President Vladimir Putin.

But sanctions aren't a perfect tool, and their effects can reach people who don’t have decision-making roles or influence and may very well oppose Russia's invasion. The situation is already proving frustrating for researchers, including one in Belarus who says he is opposed to the war and that bug bounties are his only source of income.

The person describes himself as a male in his 20s. He goes by the Twitter handle @xnwup and is signed up with HackerOne, a popular bug bounty platform. On Sunday, he tweeted he was owed $25,179 by HackerOne. He also tweeted he was firmly opposed to the invasion of Ukraine, noting that publicly opposing the military action in Belarus could result in arrest.

Via Twitter, @xnwup tells Information Security Media Group that he specializes in web application security issues, misconfigurations and bugs within tools and infrastructure that's used by companies. He says the $25,179 in his HackerOne account comprised bug bounties for several bugs he found over time.

"I was receiving bounties and accumulating them on H1 [HackerOne] account balance, withdrawing in chunks when I needed the money, kind of treating the H1 account balance like a bank account, which in retrospect was not a sound financial decision," he says. "Last time I made a withdrawal in early February via bank transfer, but since that tweet they [HackerOne] haven't replied to any requests or emails."

Holding Payments

HackerOne says it is holding payments owed researchers in Belarus, Russia and occupied areas of Ukraine due to the sanctions, according to a statement from Chris Evans, chief hacking officer and CISO for HackerOne.

Earlier this month, HackerOne's CEO, Marten Mickos, plunged his company into controversy when he tweeted on March 3 that bug bounties for hackers in Russia and Belarus would be routed to the charity UNICEF. The tweet was an error, and Mickos later clarified that he meant HackerOne would make matching donations to the charity. The company says it can also donate bounties to UNICEF but only with the consent of researchers.

An erroneous tweet from Mickos suggested that bug bounties due to researchers in Belarus and Russia would be donated to UNICEF. He later deleted the tweet, clarifying that the payments would be held and that HackerOne would make matching donations.

Also, a Ukrainian researcher, @vladimir_metnew, says that HackerOne halted payments due to him, citing sanctions. That turned out to be in error. HackerOne has now apologized for inaccurate communications and says it is looking to clear the backlog of payments. On Wednesday it published a FAQ about how it is approaching the sanctions.

“On behalf of everyone at HackerOne, I am truly sorry for how our poor communication has caused confusion and undue stress for the Ukrainian hacker community," Evans says. "We have not, and will not, block lawful payments to Ukrainian hackers. We actively support Ukraine's fight for freedom."

BugCrowd, Intigriti Affected

Other bug bounty platforms say they've also had to revise their programs in light of the sanctions.

"The Ukraine/Russia conflict has impacted basically every company in our space, including us," says Casey Ellis, BugCrowd's founder, chairman and CTO. BugCrowd manages vulnerability disclosure programs and bug bounty programs for organizations, leveraging outside researchers to help find security issues.

Casey Ellis

The sanctions are affecting payment provider availability, Ellis says. But he adds that it also isn't the first time BugCrowd has had to adjust its approach due to changing world events.

"I feel bad for the researchers who were affected," Ellis says. "It's not always possible, but ideally, those caught in the proverbial crossfire should never be unclear about whether or not they can be paid."

Intigriti, a bug bounty and penetration testing platform incorporated in Belgium, says it has withdrawn all programs for its Russia-based clients and other regions affected by sanctions. It says it can't make either PayPal payments or payments to Russian bank accounts. Russian researchers, however, can still contribute to programs.

"At this point in time, we have elected not to terminate our general cooperation with Russian researchers, many of whom do not support their government's war," writes Travis Anderson of Intigriti in a blog post on Wednesday. "Keeping in line with Intigriti's vision and values, our desire is to maintain a platform that promotes equality and enables individuals to make a living to support their families."

Bug bounty payments owed to researchers will be held for a minimum period of two years or until the sanctions situation changes, Anderson writes.

@xnwup: 'I'll Be Fine'

@xnwup says his sole source of income came from HackerOne. Last year, he says he made around $50,000, with one security misconfiguration he spotted netting him $40,000.

For that one, "the company accidentally leaked AWS keys with lots of permissions on their GitHub repo," he says. He says usually payouts for that type of problem are around $1,000 to $3,000, but this company had its maximum payout set much higher than the others.

"Sometimes issues with the most impact are rather simple and you don't need much technical knowledge to find or exploit," @xnwup says.

Job opportunities in Belarus are dwindling, @xnwup says. Many companies in the country work with foreign clients, but those clients are cutting ties with Belarus due to the conflict. But @xnwup is keeping it all in perspective.

"I'll be fine," @xnwup says. "Some people have it far worse."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.