HP isn’t asking people to tear apart its printers to pieces, but the company is willing to pay people to break its software apart.
On Tuesday, HP announced its first bug bounty program that specifically targets its printers, offering as much as $10,000 to hackers who can find bugs on its machines.
Bug bounties are a common way for companies to find security flaws, with payouts as high as $100,000 for serious vulnerabilities. Hackers have been able to make a full-time job breaking software and reporting bugs before the vulnerabilities are used maliciously. Companies such as Google and have turned to bug bounties as a way to bolster their security.
HP quietly started its program in May with 34 researchers signing up. It has already paid $10,000 to a hacker who found a serious flaw with its printers, Shivaun Albright, the company’s chief technologist for printer security, said in an interview last week.
The company is focused on printer security because of the vulnerabilities of the internet of things devices, she said. While there’s a heavy focus on connected devices and their security flaws, it’s often on web cameras, smart televisions or lightbulbs, not printers, Albright said.
But printers might be the oldest and most common IoT device a person owns, the HP technologist noted.
“They’ve been around for a long time, even before the term ‘IoT’ was out there,” she said. “The issue is, why do customers not consider printers as IoT?”
It isn’t like printers are immune to attacks.
In 2016, the Mirai botnet — a massive network of hacked devices used to wreak havoc online — caused a major web outage that took down popular sites like Twitter, Netflix, and Reddit. The botnet used hacked IoT devices, like webcams and DVRs, but printers were also a part of that mix, Albright said.
HP’s bug bounty program will be run through Bugcrowd, a platform that facilitates payouts and invites. The program is currently private, with Bugcrowd handling which researchers are invited to join. Albright said HP is interested in making it public in the future but is keeping it closed for now to better manage incoming vulnerabilities.
The invited researchers have remote access to 15 printers, which are isolated in HP’s offices. From their computers at home, they can poke at and pry into these machines to find hidden vulnerabilities.
For a $10,000 payout, Albright said, the researcher would have to find serious flaws like remote code execution, which would allow an attacker to take complete control of the printer.
If they find and report any flaws, HP will pay them for the discovery and then set out to fix it upon its next update.
“We’re fixing these issues very quickly and turning them around so they’re not found in the wild,” Albright said.
You May Like This