HP Launches $10,000 Bug Bounty for Printers

HP Launches $10,000 Bug Bounty for Printers

It’s common practice for companies to offer security researchers and “white hat” hackers monetary compensation for finding bugs in their products. So-called “bug bounties” allow the company to patch its products before the flaw becomes a target of nefarious hackers. Google, Apple, and many other companies use such programs. Now, HP is opening a new bug bounty program that is the first of its kind — HP wants hackers to break into its printers.

This whole concept seems silly at first, but printer security has HP worried. As HP and other manufacturers introduce more networking capabilities and cloud functions, printers are presenting a larger attack surface. HP’s the largest supplier of enterprise-grade printers, and it doesn’t want to be installing security holes in offices around the world. That’s generally bad for business.

HP Launches $10,000 Bug Bounty for Printers
HP Launches $10,000 Bug Bounty for Printers

The program operates on the Bugcrowd crowdsourced security platform, but you can’t just join it uninvited. HP has selected 34 researchers to participate in the program for the time being, but it may open it up more widely later. HP instructed the security researchers to look for firmware-level vulnerabilities like remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs. The bounty currently covers the HP LaserJet Enterprise printers and the HP PageWide Enterprise edition printers.

Some of the affected printers like the LaserJet Enterprise series start at a few hundred dollars and can reach several thousand.
Some of the affected printers like the LaserJet Enterprise series start at a few hundred dollars and can reach several thousand.

Prizes range from $500 for a vulnerability with limited impact to $10,000 for a serious bug that could endanger a network. A single researcher or group can claim multiple bounties related to the same feature if they can show there are other ways to exploit them. HP will also pay up if someone reports a bug that HP already identified internally — it calls this a “good faith payment.”

The printer bug bounty will run indefinitely, and HP says it may expand the program to its PC products in the future. It’s starting with printers because it believes the threat has been underestimated as printers get ever more powerful. Many of these devices are like lightweight computers in their own right with programmable operating systems and memory for saved documents (as well as malware).

Continue reading

Elon Musk Wants to Test Falcon Heavy’s Mars-Bound Successor in 2019
Elon Musk Wants to Test Falcon Heavy’s Mars-Bound Successor in 2019

Elon Musk wants to start testing the Big Falcon Rocket as early as next year, in preparation for an ambitious cargo flight schedule with Mars-bound rockets taking off as soon as 2022.

LG V40 ThinQ: How 5 Cameras Push the Bounds of Phone Photography
LG V40 ThinQ: How 5 Cameras Push the Bounds of Phone Photography

As other components in phones get smaller, cameras have begun to expand to fill the space. LG's new V40 packs 5 cameras to help you make the most of every type of photography.

T-Mobile, Sprint, and AT&T Caught Selling Location Data to Bounty Hunters
T-Mobile, Sprint, and AT&T Caught Selling Location Data to Bounty Hunters

AT&T, T-Mobile, and Sprint are selling your location data, with precious little concern for who eventually buys it.

SpaceX Fires Mars-Bound Raptor Engine
SpaceX Fires Mars-Bound Raptor Engine

Those more concerned with exploring space than gridiron antics will be pleased at what Elon Musk got up to on Sunday.