Image credit: HP
HP is now the first manufacturer in the printer industry to have launched a security bug bounty for its printers on the BugCrowd platform.
Endpoint Devices Becoming A Larger Target
According to a recent Bugcrowd report, attackers have started to focus more on targeting endpoint devices in the past year. Printer software vulnerabilities have also increased by 21% in the same period, which shows an increased risk for owning vulnerable printers, especially in the enterprise environment.
Historically, companies’ Chief Security Information Officers (CISOs) haven’t been involved in the purchasing of printers, because unpatched or vulnerable printers haven’t been considered a major threat. However, as attackers start looking for any sort of vulnerable device that they could exploit to gain access to the companies' internal networks, the security chiefs are also starting to expect more secure printers.
HP’s Security Bug Bounty
HP seems to have heard these concerns loud and clear, and it’s now launching the industry-first security bug bounty program on the Bugcrowd platform.
Shivaun Albright, HP's Chief Technologist of Print Security, said:
“As we navigate an increasingly complex world of cyber threats, it's paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up. HP is committed to engineering the most secure printers in the world.”
The bug bounty program will, at least for now, remain private. Presumably, HP wants to first test how the program will go and see how well it will be able to cooperate with security researchers before it makes the program public. HP may also want to avoid or delay the public disclosure of bugs as much as possible, knowing that at least in the enterprise space, not everyone is willing or able to fix bugs as soon as they're discovered.
Researchers who participate in HP’s bug bounty program will have to report the bugs directly to Bugcrowd, for which they can be rewarded up to $10,000. HP said that it may reward researchers even if they report bugs about which the company was aware.