HP has thrown down the gauntlet with a challenge to hackers: Try and poke holes in our printer software, and we’ll give you $10,000.
It’s the first bug bounty to emerge from the hardware maker, and it’s already bearing fruit. The company signed up 34 researchers to participate when it quietly launched the effort at the end of May and has already paid $10,000 to at least one hacker who found a security vulnerability related to the company’s printers.
That’s according to HP’s chief technologist for printer security Shivaun Albright. The company is calling this the first printer-focused bug bounty program in the industry, and it was launched in partnership with crowdsourced security platform Bugcrowd. The program is also eventually going to include HP desktops.
Per SecurityWeek, participating hackers have been told for now to give particular attention to firmware-level vulnerabilities, including remote code execution, cross-site request forgery and cross-site scripting bugs.
“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” Albright told the publication. “HP is committed to engineering the most secure printers in the world.”
Hackers chosen to participate in the program can remotely chip away at 15 printers in HP’s offices.
One reason the company is starting with printers is because there’s a general understanding of the fragility of Internet of things devices when it comes to security — encompassing things like web cameras and smart TVs — but that same focus doesn’t always seem to extend to printers. Even though it’s one of the most common pieces of computing hardware and certainly one of the most ubiquitous Internet of Things devices out there.
Not only do printers get too overlooked. It’s also worth remembering they were part of the mix of co-opted Internet of Things devices the Mirai botnet attacked in 2016 and temporarily knocked sites like Twitter and Reddit offline. Last year, a team of German researchers studied 20 printers from leading manufacturers like HP and Dell and found that every single one of them had at least one security flaw that could be exploited, such as holes that could provide an entry door into the rest of an organization’s network.
The stakes certainly keep rising. According to Bugcrowd’s 2018 State of Bug Bounty Report, the past year has seen a 21 spike in endpoint vulnerabilities reported, as well as a 36 percent increase in total bug bounty payouts.
Under the terms of HP’s bug bounty program, $10,000 is the maximum payout. It starts at $500 and goes up from there. “We’re challenging researchers to search for obscure defects that could be used against our customers,” an HP spokesman told ZDNet.