HP has unveiled a new "first of its kind" bug bounty program offering hackers up to $10,000 to find bugs and vulnerabilities in its printers. The tech giant is partnering with bug bounty platform Bugcrowd to launch the program that will focus on printer-related bugs that could be exploited by hackers to gain access into networks.
“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” Shivaun Albright, HP's Chief Technologist of Print Security, said in a statement. “HP is committed to engineering the most secure printers in the world.”
According to HP, security researchers participating in the program can report their findings to Bugcrowd. Reported vulnerabilities that were previously discovered by HP will be assessed and a reward may be offered to the researcher as a "good faith payment." Bugcrowd will verify all submitted bugs and, based on the severity of the flaw, researchers could be awarded between $500 and $10,000 per bug.
However, the private program is currently invite-only with HP engaging 34 researchers to focus on firmware-level vulnerabilities such as remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs across all HP enterprise print devices. However, printer-related web domains are not included under the program.
According to Bugcrowd's 2018 State of Bug Bounty Report, endpoint devices are being increasingly targeted by threat actors as a gateway to infiltrate systems including IoT devices, routers, security cameras and other connected devices. The firm saw over 37,000 bug submissions during the past year, 69% of which were valid, it said. Over the past year, the total print vulnerabilities across the industry have increased by 21%.
“CISOs are rarely involved in printing purchase decisions yet play a critical role in the overall health and security of their organization,” Justine Bone, CEO, MedSec and Security Advisory Board member for HP, said. “For decades, HP has made cybersecurity a priority rather than an afterthought by engineering business printers with powerful layers of protection. And in doing so, HP is helping to support the valuable role CISOs play in organizations of every size.”
HP is also reportedly planning to eventually expand the bug bounty program to its PCs. The program was quietly launched in May. News of the program comes just ahead of the Black Hat USA 2018 conference that takes place in Las Vegas August 4-9.
"We're challenging researchers to search for obscure defects that could be used against our customers," an HP spokesperson told ZDNet. "We're providing researchers with remote access to a set of Enterprise Multifunction printers and invited researchers to focus on the potential for malicious actions at the firmware level including CSRF, RCE, and XSS."