The call to bypass bug bounty firms came from American researcher Katie Moussouris, the founder of Luta Security, and a well-known figure in the infosec industry.
In a thread on Twitter, Moussouris said: "Technically [there is] nothing stopping all hackers who participate in bug bounties from refusing to submit bugs via bounty platforms except the threat of being kicked off said platforms (that refuse to employ them all yet use hackers as their sole income source) just sayin'. Email the bugs."
While bounty platforms still hold an advantage of scale for payments, the scale is only safe to use if your org doesn’t care about getting in trouble for violating sanctions yourself down the line.— Katie?Moussouris (she/her) (@k8em0) March 26, 2022
Ignorance via a bounty platform abstraction isn’t a defense.
Consider self hosting
Around mid-March, an Ukrainian researcher posted a tweet saying his payments from HackerOne had not been arriving as usual.
Vladimir Metnew told the American website TechCrunch he had received an email from HackerOne saying: "If you are based in Ukraine, Russia, or Belarus all communications and transactions (including swag shipping) have been paused for the time being."
An Ukrainian, who is living elsewhere in Europe at the moment, Metnew said his HackerOne account had been frozen. A day after this, he posted that he had been allowed to take money out of his account.
In 2020 HackerOne, which acts as an intermediary between the researchers and companies, paid out more than US$107 million in bounties.
HackerOne posted a notice on its website on 16 March, claiming that delays had occurred with payment mechanisms. It has also removed the Russian security firm Kaspersky from its list of companies with which it does business.
"We sincerely sympathise with the frustration and uncertainty faced by hackers and customers affected by exports controls and sanctions in areas such as Russia, Belarus, and occupied areas of Ukraine," the note said.
"We also recognise delays have occurred with various payment mechanisms. We are making every effort to do the right thing for all involved while complying with US laws. We continue to prioritise identifying and resolving any issues encountered by Ukrainian hackers."
The post added: "We have not and will not block lawful payments to Ukraine. A small portion of Ukrainian hackers residing in occupied areas may be impacted by sanctions."
UPD: Seems like H1 finally allowed me (and I hope other Ukrainian hackers too) to take money out of H1. pic.twitter.com/4sDk8IOe7h— Metnёw (@vladimir_metnew) March 14, 2022
However payments to researchers in Russia and Belarus have been stopped. "We have paused payments to hackers in sanctioned regions. Any owed payments to hackers in Russia or Belarus are being held until the situation changes," it said.
Moussouris did not mince her words, saying; "These [bug bounty] platforms have been in production for a decade and are drowning in cash investments, so the whole 'we’re a poor little start-up doing our best, oops' should be as believable as Facebook saying they couldn’t stop disinfo in 2016. Untrue. It shows what leadership prioritises.
"So since some bug bounty platforms seem to be introducing more friction to vulnerability disclosure, can’t consistently manage global payments amid sanctions, and therefore are getting in the way of good security outcomes, hackers could just all decide to email their bugs directly."
Moussouris added that organisations that needed help with bug triage could hire contractors or full-time staff just like the major vendors of operating systems. "Payment will still be an issue, but that’s an easier problem to solve than if your bounty platform is causing so much friction that bugs aren’t getting to you," she added.
iTWire has contacted HackerOne for further comment.
Update, 29 March: Chris Evans, chief hacking officer and chief information security officer at HackerOne, said in a statement sent to iTWire: "On behalf of everyone at HackerOne, I am truly sorry for how our poor communication has caused confusion and undue stress for the Ukrainian hacker community.
"We have not, and will not, block lawful payments to Ukrainian hackers. We actively support Ukraine's fight for freedom. There have been delays in backend payment systems for some Ukrainian hackers.
"This situation was then understandably conflated with generally inaccurate communications to hackers. Our teams are working to minimise these delays. We are currently holding hacker reward payments to sanctioned regions, including Russia and Belarus.
"We are not automatically donating any bounty payments to UNICEF or any other charity. We donate hackers' rewards to charity only on their instruction. We apologise that we made an error in our original communication.
"We have changed our default Hack for Good charity to UNICEF and encourage donations of rewards (or a portion of a reward) as one way of helping relief efforts."