HackerOne Sanctions FAQ

HackerOne is actively monitoring the evolving events surrounding the Russian invasion of Ukraine to ensure the best possible outcomes for the hacker community, our employees, and the customers we serve.

We sincerely sympathize with the frustration and uncertainty faced by hackers and customers affected by exports controls and sanctions in areas such as Russia, Belarus, and occupied areas of Ukraine. We also recognize delays have occurred with various payment mechanisms. We are making every effort to do the right thing for all involved while complying with U.S. laws. We continue to prioritize identifying and resolving any issues encountered by Ukrainian hackers. 

We understand that there are many questions, and we appreciate your patience while we ensure we can provide accurate answers. If the FAQ does not answer your question, please email sanctions@hackerone.com.

 

 

 

Are Ukrainian hackers receiving bounty payments?

We have not and will not block lawful payments to Ukraine. A small portion of Ukrainian hackers residing in occupied areas may be impacted by sanctions. We acknowledge that due to enhanced screening requirements, we have seen disruptions and delays in some of our payment channels, causing delays in bounty payments. We are working with our partners to resolve it. We are also reaching out to the affected hackers.

Given the ever-changing nature of sanctions, we are updating the information as quickly as possible. Hackers in the affected areas, or impacted by sanctions, may not be able to receive rewards. Therefore, some rewards may be held subject to regulatory and legal requirements. We can assure those hackers that where payments are not possible, all affected funds will be held in separate accounts and will remain there until the law permits us to do otherwise. 

Have Ukrainian hackers been suspended from HackerOne?

No. Our 15 Ukrainian hackers with Cleared status received a poorly worded communication about additional background screening. We acknowledge and apologize for this communication and HackerOne’s Chief Hacking Officer is reaching out to resolve the issue and expedite the background screens. 

HackerOne Clear is a highly vetted and background-checked subset of our hacker community, intended to be engaged in our most sensitive customer programs.

Are Russian and Belarusian hackers receiving bounty payments?

We have paused payments to hackers in sanctioned regions. Any owed payments to hackers in Russia or Belarus are being held until the situation changes. It is an unfortunate fact that war impacts populations indiscriminately without regard to whether the individual supports or is against their government’s action. As a U.S. company, how we operate is subject to many laws and regulations including the well-publicized rules about economic sanctions and export controls. 

We understand and sympathize with the difficult situation this creates for our hackers in these regions.

Have Russian and Belarusian hackers been suspended from HackerOne?

No, although we continue to evaluate all interactions with hackers in the affected regions. We still facilitate vulnerability disclosures from hackers based in sanctioned regions. 

What about the communication about hacker rewards in affected areas getting sent to UNICEF?

We are not automatically donating any bounty payments to UNICEF or any other charity. We can through our normal process donate hackers’ rewards to charity but only on their express instruction. We apologize that we made an error in our original communication. 

We have changed our default Hack for Good charity to UNICEF and encourage donations of rewards (or portions of rewards) as one way of helping relief efforts. 

How will sanctions affect customers in Russia, Belarus, or other sanctioned regions?

We will continue to work with the appropriate entities on sanctions. To that end, we have suspended programs for customers based in the countries of Russia, Belarus, and the sanctioned areas of Ukraine. However, HackerOne will NOT block access to any vulnerability disclosures submitted prior to suspension of services.

Even though you are not making payments to sanctioned areas, will you accept vulnerability disclosures?

Although affected by sanctions, we hope to keep operations as normal as possible. While we will discontinue business in sanctioned regions, we aim to keep vulnerability disclosures open - rules and sanctions permitting.

I’m a HackerOne customer whose program is suspended. Where can I reach someone to answer additional questions?

If you have additional questions, please reach out to sanctions@hackerone.com, where someone from our team can provide guidance and information about your specific program.

How is HackerOne supporting those affected by the crisis in Ukraine?

HackerOne donated to date $25,000 to UNICEF, and on top of that, we’ll match donations dollar for dollar up to $100,000 for the next three months (until June 2, 2022). 

Additionally, we encourage members of the HackerOne community to donate their bounties via Hack for Good (at their request) or a portion of their bounties to UNICEF, which provides Ukrainian children and families access to basic services including water and sanitation, health care, and emergency cash assistance. 

Furthermore, HackerOne customers can also choose to offer matching donations in their bug bounty programs. 

  • How can hackers donate their bounty?
  • What charities can they donate to?
    • The Hack For Good initiative supports UNICEF. If you would like to donate to another charity, you can receive your bounty payout and donate it personally.
  • How long will this donation program be running?
    • Three months from March 2, 2022