Ukrainian hackers and security researchers say bug bounty platform HackerOne is withholding their bug bounty rewards, in some cases thousands of dollars, and refusing to let hackers withdraw their earnings.

Several hackers and researchers with affected HackerOne accounts said in tweets that HackerOne is blocking payouts, citing economic sanctions and export controls following the Russian invasion of Ukraine in late February, but that the sanctions don't apply to them.

"If you are based in Ukraine, Russia, or Belarus all communications and transactions (including swag shipping) have been paused for the time being," according to an email from a HackerOne support representative to security researcher Vladimir Metnew, which he tweeted out. Metnew, who is Ukrainian but currently in the European Union, told TechCrunch that his account is frozen. "I think they blocked payments for everyone who registered from Ukraine," Metnew said.

Bug bounty company HackerOne acts as an intermediary between the hackers and security researchers who find and report security bugs and the companies that ask for help fixing their products and services. In 2020, HackerOne paid out more than $107 million in bug bounty rewards to researchers, many of whom rely on their earnings as a source of income.

Other hackers and researchers who are still in Ukraine are reporting similar circumstances, that their accounts are frozen or that they cannot withdraw funds. Bob Diachenko, a Ukrainian security researcher whose findings have been periodically reported on TechCrunch, said in a tweet that he had $3,000 in earnings since February currently withheld from his account.

The move to block payouts across Ukraine has been met with anger and confusion, and without any apparent official communication from the bug bounty company. It's not clear what sanctions or export controls HackerOne is referring to. The U.S., the European Union and several other allied nations have imposed stiff economic sanctions against Russia and Belarus, as well as an embargo on territory in the eastern Donbas region of Ukraine currently held by separatist groups and Crimea, which was annexed by Russia in 2014. But Ukraine is not subject to those sanctions.