HP, the Palo Alto, California tech giant, announced Tuesday it will be inviting white hat hackers to probe its printers for bugs that attackers could exploit for malicious purposes.
Shivaun Albright, HP’s chief technologist of print security, described the program as complementary to existing security features built into HP printers.
“We have some features in our devices to detect when attacks occur,” Albright told CyberScoop. “But if you look at it, recognizing that a device can it protect against all current and future attacks, what we wanted to do was go beyond what’s happening in the industry.”
The HP printer bug bounty program will be managed by Bugcrowd, a prominent bug bounty platform. HP’s program will be private, meaning researchers who already have some experience with Bugcrowd will be invited to join. Albright said the program will be a pilot that could lead HP to open it up to the public.
In practice, HP will set up enterprise-class printers that hackers will have remote access to. The researchers will probe the printers for vulnerabilities that HP isn’t aware of. Albright said that doesn’t mean vulnerabilities discovered via physical access are off-limits (HP shipped at least one device to a researcher who requested it, she said), but the company is mostly interested in finding out about remote attacks.
Bounties will range from $500 to $10,000 based on the severity of the bug, HP said. Albright said HP is looking to leverage the bug bounty program to seek out vulnerabilities that could open up HP printers to various types of threats, including becoming part of a botnet.
Albright cited the October 2016 distributed denial-of-service on domain name system provider Dyn, which disrupted access to major websites globally. The attack was made possible by infecting vulnerable internet-of-things devices, including printers, with the Mirai malware to create a botnet.
The incident highlighted how much of a target endpoints such as printers can be. In December 2016, HP started shipping its printers with ports that were more restricted by default to protect them from remote exploitation.
HP says that this would be the first bug bounty program dedicated to printers. Being an endpoint that sits on the edge of a network, printers may as well be the prototypical IoT device. Such products, like smart light bulbs and fridges, are not often built with a focus on security, Albright said, which can make them susceptible to such attacks.
“Security may not be top of mind when they develop these things. Time to market is pretty critical, but it also could be the customers are asking about that or demanding that when they go to buy some of these products as well,” she said. “It’s kind of market driven to some degree.”
Companies in other sectors are largely going through a warming up period to accepting the reputability of bug bounty programs, but Albright said executives at HP were receptive to the idea of launching one. HP does already have a way for researchers to disclose flaws that they find in devices made by the company. But Albright said that the researchers don’t always give HP the standard 60- or 90-day period to respond to the issue before publicly disclosing it.
“This was a way to try to help control this to a large degree so that we have the time to fix these before they become public so we can get those patches out to our customers,” Albright said.