Researchers can earn up to $10,000 for identifying security flaws in printers made by HP in what is the first bug bounty program aimed specifically at printers, according to an announcement by the tech giant on Tuesday.
The payouts will depend on the severity of the flaw discovered, and HP may also make a “good faith payment” for reporting a vulnerability that the firm has identified before. Security Week said that the researchers have been told to hone in on firmware-level bugs.
HP’s initiative is a nod to the fact that security threats go beyond computers to include any device connected to a network. Indeed, internet-connected printers can be a serious security liability. Attackers can not only steal sensitive data from them or coerce printers into revealing users’ administrator passwords, but they can also use the devices as jumping-off points for further compromises of networks. Printers can also be corralled into botnets, as has happened with Mirai.
HP highlighted its commitment to ensuring the highest level of printer security in order to lessen the risk of such threats. “As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” HP's Chief Technologist of Print Security Shivaun Albright was quoted as saying. “HP is committed to engineering the most secure printers in the world,” she added.
Dark Reading wrote that HP’s focus on printer security is also because – compared to flaws in other Internet-of-Things (IoT) devices – vulnerabilities in printers have generally been on the back burner. "There's a big focus on connected devices like Web cameras or smart TVs, which are highly relatable to everyone, but not printers necessarily," Albright was quoted as saying. "That said, printers may be the most common IoT device an individual uses."
Meanwhile, CNET quoted Albright as saying that the bug-hunting program had actually been quietly launched in May. Thirty-four researchers signed up back then, and one of them has already received $10,000 for finding a serious loophole in HP’s printers. The program is invite-only, so that it allows for easier management of incoming vulnerabilities. HP aims to make the program public in the future, however.
The initiative is backed up by security crowdsourcing company Bugcrowd, which will manage the vulnerability reporting and verification, as well as handle which researchers are invited to join. HP also quoted the firm’s recent report, which stated that the total print vulnerabilities across the industry have increased 21% during the past year.
The researchers who have been chosen to participate in the initiative have been provided with remote access to 15 printers, which are isolated in HP's offices. “From their computers at home, they can poke at and pry into these machines to find hidden vulnerabilities,” wrote CNET.