Update: On August 1, HP disclosed two vulnerabilities in certain HP Inkjet printers: CVE-2018-5924 and CVE-2018-5925. To see if your machine was impacted, and to get the patch, click here.
On Tuesday, HP announced a bug bounty program that will give hackers and researchers up to $10,000 if they can find security flaws in the company’s printers.
The move is the industry’s first print security bug bounty program, according to a press release. HP will work with Bugcrowd to manage vulnerability reporting.
“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” Shivaun Albright, HP’s chief technologist of print security, said in the release. “HP is committed to engineering the most secure printers in the world.”
SEE: Incident response policy (Tech Pro Research)
Any vulnerabilities discovered in the program are required to be reported to Bugcrowd, the release noted, which will verify the bugs found and offer a reward of up to $10,000 based on the severity of the flaw. If a vulnerability is reported that HP had already discovered, the company may still offer a reward.
HP started the program back in May, with 34 researchers taking part, our sister site CNET reported. The company has already paid $10,000 to a hacker who found a serious flaw in one of the printers, Albright told CNET.
The company decided to focus on printer security due to the vulnerabilities found in Internet of Things (IoT) devices, Albright told CNET. In many cases, printers are the most common IoT device a person owns, though talk of security flaws tends to focus on things like smart TVs or lightbulbs rather than printers, she added.
Printers are not immune to attacks, CNET noted. For example, the 2016 Mirai botnet–a large network of hacked devices that caused a major web outage–included printers, Albright said.
Endpoint devices like connected printers are a major attack vector, with total print vulnerabilities across the industry increasing 21% during the past year, according to a Bugcrowd report cited in the release.
Printers face a number of vulnerabilities, according to a 2017 report from Ruhr-Universität Bochum in Germany. Many attacks use PostScript malware to manipulate documents being printed, or to capture the content of documents that are printed.
The big takeaways for tech leaders:
- HP is offering hackers and researchers up to $10,000 to find flaws in its printers in a bug bounty program.
- Printers are often ignored in IoT security discussions, but may be a common attack vector.