“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” said Shivaun Albright, HP Chief Technologist of Print Security on Tuesday. “HP is committed to engineering the most secure printers in the world.” HP will carry out the bug hunt in collaboration with crowdsourcing security platform, Bugcrowd, that manages bug bounties, vulnerability disclosures, and more. This program is based on invite-only basis so that it can better manage incoming vulnerabilities. “HP has offered a way for researchers to disclose bugs to our team for a long time now,” Albright said. “This is our first bug bounty program, and the world’s first Print specific bounty, to be managed by an external party.” According to the program guidelines, researchers are required to report the vulnerabilities found in the private program directly to Bugcrowd. HP will evaluate any vulnerability that was previously discovered by the company and may reward the researcher “as a good faith payment.” In the meantime, Bugcrowd will verify all submitted bugs and reward researchers depending on the severity of the flaw. Researchers can earn anywhere between $500 and $10,000 per legitimate find under the terms of the program. “For years, the conversation about cybersecurity has focused on software and networking,” said Albright. “Today, bad actors are targeting endpoint devices. Protecting connected devices, like printers, at the edge of the network has become paramount.” According to research undertaken by Bugcrowd, “2018 State of Bug Bounty Report,” vulnerabilities in printers are an increasing threat with attackers focused on endpoint devices. During the past year, the total endpoint bugs across the industry have increased 21 percent. HP said that the bug bounty program will run indefinitely. In due course, the company plans to extend the bug bounty to its PC lineup. HP started this bug bounty program in May this year, CNET reports. The company has already given $10,000 prize to one researcher who pointed out a critical vulnerability. Currently, the program has 34 researchers on board.
