But don’t get too excited just yet: the
first-of-its-kind bug bounty program for printers is invite-only for now
Researchers can earn up to $10,000 for
identifying security flaws in printers made by HP in what is the first bug
bounty program aimed specifically at printers, according to an announcement by the tech giant on Tuesday.
The payouts will depend on the severity of
the flaw discovered, and HP may also make a “good faith payment” for reporting
a vulnerability that the firm has identified before. Security Week said that the researchers have been told to
hone in on firmware-level bugs.
HP’s initiative is a nod to the fact that
security threats go beyond computers to include any device connected to a
network. Indeed, internet-connected printers can be a serious security
liability. Attackers can not only steal sensitive data from them or coerce
printers into revealing users’ administrator passwords, but they can also
use the devices as jumping-off points for further compromises of networks.
Printers can also be corralled into botnets, as
has happened with Mirai.
HP highlighted its commitment to ensuring the
highest level of printer security in order to lessen the risk of such threats.
“As we navigate an increasingly complex world of cyber threats, it’s paramount
that industry leaders leverage every resource possible to deliver trusted,
resilient security from the firmware up,” HP’s Chief Technologist of Print
Security Shivaun Albright was quoted as saying. “HP is committed to engineering
the most secure printers in the world,” she added.
Dark Reading wrote that HP’s focus on printer security is also because –
compared to flaws in other Internet-of-Things (IoT) devices – vulnerabilities in
printers have generally been on the back burner. “There’s a big focus on
connected devices like Web cameras or smart TVs, which are highly relatable to
everyone, but not printers necessarily,” Albright was quoted as saying. “That
said, printers may be the most common IoT device an individual uses.”
Meanwhile, CNET quoted Albright as saying that the bug-hunting program
had actually been quietly launched in May. Thirty-four researchers signed up
back then, and one of them has already received $10,000 for finding a serious
loophole in HP’s printers. The program is invite-only, so that it allows for
easier management of incoming vulnerabilities. HP aims to make the program
public in the future, however.
The initiative is backed up by security
crowdsourcing company Bugcrowd, which will manage the vulnerability reporting
and verification, as well as handle which researchers are invited to join. HP
also quoted the firm’s recent report, which stated that the total print
vulnerabilities across the industry have increased 21% during the past year.
The researchers who have been chosen to
participate in the initiative have been provided with remote access to 15
printers, which are isolated in HP’s offices. “From their computers at home,
they can poke at and pry into these machines to find hidden vulnerabilities,”
wrote CNET.