HackerOne kicks Kaspersky’s bug bounty program off its platform

Bug bounty platform HackerOne disabled Kaspersky’s bug bounty program on Friday following sanctions imposed on Russia and Belarus after the invasion of Ukraine.

“We will continue to work with the appropriate entities on sanctions,” HackerOne explained in a FAQ regarding sanctions published last week.

“To that end, we have suspended programs for customers based in the countries of Russia, Belarus, and the sanctioned areas of Ukraine.”

The Russian cybersecurity firm said the sanctions wouldn’t justify the program’s suspension since none of them were imposed on Kaspersky.

The bug bounty platform also blocked Kaspersky’s access to the program and froze existing funds for already reported security vulnerabilities in the Russian antivirus provider’s products.

Kaspersky also added that its bug bounty program was disabled indefinitely following “unilateral action from HackerOne.”

“Kaspersky finds this unilateral action an unacceptable behavior, especially for the key player in the vulnerability coordination community where the trust between all parties is paramount to making products and services safer,” the cybersecurity company said.

“Our conversations with Kaspersky are ongoing, and we will continue to work with their team to address their concerns,” a HackerOne spokesperson told BleepingComputer.

Kaspersky now asks researchers who find vulnerabilities in its products to report them using its self-hosted bug bounty program.

HackerOne’s decision to kick the Kaspersky bug bounty program off its platform follows another blow the Russian company received since the start of the Russian war in Ukraine.

The German Federal Office for Information Security, BSI, warned companies last week against using Kaspersky antimalware products due to threats made by Russia against the EU, NATO, and Germany.

The BSI suggested Kaspersky could be forced into giving a helping hand to Russian intelligence in launching attacks against its customers or have its products misused for cyberespionage.

This warning came after Kaspersky founder and CEO Eugene Kaspersky said a “compromise” would be welcomed to the Russian hostilities in Ukraine, sparking outrage on Twitter.

Last week, HackerOne apologized to Ukrainian hackers after erroneously freezing their accounts and blocking their bug bounty payouts following sanctions imposed after the start of the Russian war.

Update: Added HackerOne statement.

Source: https://www.bleepingcomputer.com/news/security/hackerone-kicks-kaspersky-s-bug-bounty-program-off-its-platform/