HP Offers Up to $10,000 Rewards for Printer Bugs

HP launched a bug bounty program for printers Tuesday, with a max payout of $10,000 a vulnerability.

The company, which has partnered with Bugcrowd to offer between $500 and $10,000 for bug discoveries, said that it marks the first-ever bug bounty program for printers.

“HP has offered a way for researchers to disclose bugs to our team for a long time now,” Shivaun Albright, HP’s chief technologist of print security said. “This is our first bug bounty program, and the world’s first Print specific bounty, to be managed by an external party.”

The company told Threatpost it’s looking for obscure defects that could be used against its customers. HP said it will specifically focusing on potential malicious actions at the firmware level, which includes CSRF, RCE, and XSS.

Bugcrowd and HP are assessing each disclosure and rewarding researchers based on the potential severity of the vulnerability (ranging from $500 to $10,000), HP said. Researchers will be invited to the program.

Eligible printers include HP’s enterprise-class line of HP PageWide, HP Color LaserJet and several model MFPs (both A3 and A4 formats).

“Adversaries have dramatically evolved, and attack sophistication is on the rise,” Albright told Threatpost. “We’re advising customers to consider cyber security challenge as matter of if rather than when a bad actor will be successful.”

According to the program guidelines, vulnerabilities found by researchers in the private program are required to be reported to Bugcrowd. Reporting a vulnerability previously discovered by HP will be assessed, and a reward may be offered to researchers as a good faith payment.

Meanwhile, Bugcrowd will verify bugs and reward researchers based on the severity of the flaw. A disclosure guide is offered to those invited to the program.

HP said that its bug bounty program will run indefinitely – but the company eventually plans to extend it to its PC lineup.

Vulnerabilities in printers are an increasing threat. According to a recent report by Bugcrowd, the top emerging attackers are focused on endpoint devices –  and the total print vulnerabilities across the industry have increased 21 percent during the past year.

That threat category has been reflected in HP printers as well, which over the years have proven to be significant liabilities in the enterprise. HP last year patched dozens of enterprise-class printer models for an arbitrary code execution vulnerability. Also last year, researchers found a half-dozen flaws in popular printer models – including those made by HP – allowing attackers to steal print jobs and conduct buffer overflow attacks.

“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” said Albright. “HP is committed to engineering the most secure printers in the world.”