$10,000 for hacking HP printers: First bug bounty program for printer security

HP invited 34 security researchers to participate in its bug bounty program for printers, offering up to $10,000 per bug.

HP announces first bug bounty program for printer security
401(K) 2012 (Creative Commons BY or BY-SA)

HP announced a different kind of bug bounty – the “first of its kind” bug bounty program for printers.

Before you start hacking printers to find a serious vulnerability and make $10,000, you should know that the “industry’s first print security bug bounty program” is private. HP invited specific researchers to the program. Honestly, that’s a bit of an excitement deflator because instead of anyone with the skills being able to find and report printer bugs, only a little more than 30 researchers get a shot it.

HP partnered with the crowdsourced security Bugcrowd platform and is offering between $500 and $10,000 per bug. Bugcrowd will verify the reported vulnerability and award a payout based on the severity of the flaw. Citing Bugcrowd’s 2018 State of Bug Bounty Report, HP noted that “the top emerging attackers are focused on endpoint devices, and the total print vulnerabilities across the industry have increased 21 percent during the past year.”

The 34 researchers invited to participate were told that the program included only endpoint devices; printer-related domains are a no-no. The researchers can take aim at HP Enterprise LaserJet printers and MFPs (multi-function printers), including A3 and A4.

HP, which claims to offer “the world’s most secure printing,” told the researchers to hone in on firmware-level vulnerabilities. SecurityWeek reported that HP said “remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs” are in the scope of the program. Even finding flaws previously discovered by HP could result in a “good faith payment.”

Shivaun Albright, HP’s chief technologist of print security, said in the press release, “As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up. HP is committed to engineering the most secure printers in the world.”

At some point in the future, HP will reportedly expand the bug bounty program to its PCs. For now, HP’s printer bug bounty is meant to “deepen the perception that HP is serious about security.” Albright told CRN that HP already tests and develops printers “with security top of mind. But we want to go out there and see if there are any obscure defects that we missed. Any interface or exposure point where there’s an opportunity to input unexpected data is a potential area" [or hackers to target.

Justine Bone, CEO of MedSec and a Security Advisory Board member for HP, added, “CISOs are rarely involved in printing purchase decisions yet play a critical role in the overall health and security of their organization. For decades, HP has made cybersecurity a priority rather than an afterthought by engineering business printers with powerful layers of protection. And in doing so, HP is helping to support the valuable role CISOs play in organizations of every size.”

Announcing the first-ever printer bug bounty program is not quite the same thing as launching it. According to CNet, HP quietly launched the bug bounty program in May. The program is being disclosed before the upcoming Black Hat USA 2018 conference which takes place Aug. 4-9 in Las Vegas.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.