Printers are often the weakest link in an organization, with printer vulnerabilities being exploited in various malicious campaigns to compromise entire networks.
One such vulnerability was disclosed in 2017, and enabled hackers to carry out remote code execution attacks on enterprise-grade printers.
The flaw in question was identified as CVE-2017-2750 and was reported to HP in August last year. Affected printers included HP Color LaserJet Enterprise M651, HP Color LaserJet Enterprise M652, HP Color LaserJet Managed E65060, HP LaserJet Enterprise 800 color MFP M880, among others.
It is indeed HP (Hewlett-Packard) that is behind a new initiative to stimulate researchers to locate vulnerabilities in printers. HP just announced it will be inviting white hat hackers to test its printers for bugs that hackers could exploit for malicious purposes. The one-of-a-king bug bounty program is launched in partnership with bug bounty platform Bugcrowd.
How Will the HP Printer Bug Bounty Work?
The company is offering a bounty in the size of $10,000 in what appears to be a private bug bounty, which is created specifically for HP printer hardware. The decision to launch such a program is a smart move since enterprise printers are usually in a network, making it very easy for hackers to take down entire organizations.
According to a 2018 report by Bugcrowd, endpoint devices are increasingly targeted by malicious actors, with a 21 percent increase in total endpoint bugs reported in the last year. Thus, HP has decided to launch a printer-only vulnerability disclosure program encouraging researchers to discover and report bugs. Depending on the scale of the vulnerability, bug bounties will vary between $500 and $10,000.
It should be noted that the bounty program will be managed by Bugcrowd. The program is going to be private, meaning that researchers who already have cooperated with Bugcrowd will be invited to join. Nonetheless, the program may be available for the public in some time.
What will HP do? The company will set up enterprise-class printers that researchers will have remote access to. The researchers will probe the printers for vulnerabilities that HP isn’t aware of. However, this doesn’t mean that vulnerabilities unearthed via physical access are not allowed. There is already one case where HP shipped at least one device to a researcher who requested it. Still, HP is primarily focused on finding out about remote attacks.