Security Market Segment LS
Sunday, 27 March 2022 07:24

Researchers urged to avoid bug bounty firms after HackerOne hiccup Featured

Katie Moussouris: "Ignorance via a bounty platform abstraction isn’t a defence." Katie Moussouris: "Ignorance via a bounty platform abstraction isn’t a defence." Courtesy YouTube

Security researchers have been urged to send reports of any bugs they find directly to the companies affected after the bug bounty firm HackerOne cut off payments to Ukrainian researchers for a while after their country was invaded by Russia.

The call to bypass bug bounty firms came from American researcher Katie Moussouris, the founder of Luta Security, and a well-known figure in the infosec industry.

In a thread on Twitter, Moussouris said: "Technically [there is] nothing stopping all hackers who participate in bug bounties from refusing to submit bugs via bounty platforms except the threat of being kicked off said platforms (that refuse to employ them all yet use hackers as their sole income source) just sayin'. Email the bugs."

Around mid-March, an Ukrainian researcher posted a tweet saying his payments from HackerOne had not been arriving as usual.

Vladimir Metnew told the American website TechCrunch he had received an email from HackerOne saying: "If you are based in Ukraine, Russia, or Belarus all communications and transactions (including swag shipping) have been paused for the time being."

An Ukrainian, who is living elsewhere in Europe at the moment, Metnew said his HackerOne account had been frozen. A day after this, he posted that he had been allowed to take money out of his account.

In 2020 HackerOne, which acts as an intermediary between the researchers and companies, paid out more than US$107 million in bounties.

HackerOne posted a notice on its website on 16 March, claiming that delays had occurred with payment mechanisms. It has also removed the Russian security firm Kaspersky from its list of companies with which it does business.

"We sincerely sympathise with the frustration and uncertainty faced by hackers and customers affected by exports controls and sanctions in areas such as Russia, Belarus, and occupied areas of Ukraine," the note said.

"We also recognise delays have occurred with various payment mechanisms. We are making every effort to do the right thing for all involved while complying with US laws. We continue to prioritise identifying and resolving any issues encountered by Ukrainian hackers."

The post added: "We have not and will not block lawful payments to Ukraine. A small portion of Ukrainian hackers residing in occupied areas may be impacted by sanctions."

However payments to researchers in Russia and Belarus have been stopped. "We have paused payments to hackers in sanctioned regions. Any owed payments to hackers in Russia or Belarus are being held until the situation changes," it said.

Moussouris did not mince her words, saying; "These [bug bounty] platforms have been in production for a decade and are drowning in cash investments, so the whole 'we’re a poor little start-up doing our best, oops' should be as believable as Facebook saying they couldn’t stop disinfo in 2016. Untrue. It shows what leadership prioritises.

"So since some bug bounty platforms seem to be introducing more friction to vulnerability disclosure, can’t consistently manage global payments amid sanctions, and therefore are getting in the way of good security outcomes, hackers could just all decide to email their bugs directly."

Moussouris added that organisations that needed help with bug triage could hire contractors or full-time staff just like the major vendors of operating systems. "Payment will still be an issue, but that’s an easier problem to solve than if your bounty platform is causing so much friction that bugs aren’t getting to you," she added.

iTWire has contacted HackerOne for further comment.

Update, 29 March: Chris Evans, chief hacking officer and chief information security officer at HackerOne, said in a statement sent to iTWire: "On behalf of everyone at HackerOne, I am truly sorry for how our poor communication has caused confusion and undue stress for the Ukrainian hacker community.

"We have not, and will not, block lawful payments to Ukrainian hackers. We actively support Ukraine's fight for freedom. There have been delays in backend payment systems for some Ukrainian hackers.

"This situation was then understandably conflated with generally inaccurate communications to hackers. Our teams are working to minimise these delays. We are currently holding hacker reward payments to sanctioned regions, including Russia and Belarus.

"We are not automatically donating any bounty payments to UNICEF or any other charity. We donate hackers' rewards to charity only on their instruction. We apologise that we made an error in our original communication.

"We have changed our default Hack for Good charity to UNICEF and encourage donations of rewards (or a portion of a reward) as one way of helping relief efforts."


Read 1916 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News