HP to launch first printer bug bounty

News by Robert Abel

HP launched what it is calling the industry's first printer bug bounty program and is offering payouts ranging from US$ 500 (£431) to US$ 10,000 (£8,611).

HP launched what it is calling the industry's first printer bug bounty program and is offering payouts ranging from US$ 500 (£431) to US$ 10,000 (£8,611).

The programme is private and those who have been invited to participate have been instructed to focus on firmware-level vulnerabilities, including remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs, all of which and should be reported to Bugcrowd, according to the firm's release.

Bugcrowd will then verify the vulnerabilities and reward researchers accordingly. The programme currently covers HP LaserJet Enterprise printers and MFPs and will also offer good-faith payments to vulnerabilities that HP has already found.

"HP's initiative is a nod to the fact that security threats go beyond computers to include any device connected to a network," ESET researcher Tomáš Foltýn said about the bounty program. "Indeed, internet-connected printers can be a serious security liability. Attackers can not only steal sensitive data from them or coerce printers into revealing users' administrator passwords, but they can also use the devices as jumping-off points for further compromises of networks."

Foltýn added that printers can also be exploited to become botnets such as in the Mirai attacks.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop