HP Becomes the First Printer Maker to Launch a Bug Bounty

Image credit: HPImage credit: HP

HP is now the first manufacturer in the printer industry to have launched a security bug bounty for its printers on the BugCrowd platform.  

Endpoint Devices Becoming A Larger Target

According to a recent Bugcrowd report, attackers have started to focus more on targeting endpoint devices in the past year. Printer software vulnerabilities have also increased by 21% in the same period, which shows an increased risk for owning vulnerable printers, especially in the enterprise environment.

Historically, companies’ Chief Security Information Officers (CISOs) haven’t been involved in the purchasing of printers, because unpatched or vulnerable printers haven’t been considered a major threat. However, as attackers start looking for any sort of vulnerable device that they could exploit to gain access to the companies' internal networks, the security chiefs are also starting to expect more secure printers.

HP’s Security Bug Bounty

HP seems to have heard these concerns loud and clear, and it’s now launching the industry-first security bug bounty program on the Bugcrowd platform.

Shivaun Albright, HP's Chief Technologist of Print Security, said:

“As we navigate an increasingly complex world of cyber threats, it's paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up. HP is committed to engineering the most secure printers in the world.”

The bug bounty program will, at least for now, remain private. Presumably, HP wants to first test how the program will go and see how well it will be able to cooperate with security researchers before it makes the program public. HP may also want to avoid or delay the public disclosure of bugs as much as possible, knowing that at least in the enterprise space, not everyone is willing or able to fix bugs as soon as they're discovered.

Researchers who participate in HP’s bug bounty program will have to report the bugs directly to Bugcrowd, for which they can be rewarded up to $10,000. HP said that it may reward researchers even if they report bugs about which the company was aware.

Create a new thread in the News comments forum about this subject
This thread is closed for comments
3 comments
Comment from the forums
    Your comment
  • climber
    You know announcements like this could be seen as a way to drive sales, as large corporations or governments that are by dictated to by Chief Information Officers or Chief Security Officers that need everything to be "puckered up" tight as far as security goes. How about making this less connected in the first place. All these IoT devices and smart connected printers that you can connect USB devices or print wirelessly from the web etc., are wonderful but make things far more vulnerable. OCIOs and OCSOs have a way of creating new policy directives which require large scale replacement of technology in organizations, which depending on who wins the procurement process, some tech company sees a large windfall. To me, exactly what they wanted to achieve by making these announcements let alone devices with all this vulnerable connectivity.
  • Non-Euclidean
    Bug Report: 3rd party toner cartridges don't work with my HP printer. Please fix.
  • milkod2001
    Found bug in HP printers. All brand new printers come in with 20% inks instead of full so you will have to buy new inks at the price bigger than printer itself. Where to report?