HP Inc. announced it has expanded its Bug Bounty programme to focus specifically on office-class print cartridge security vulnerabilities.
As part of this programme, HP has engaged with Bugcrowd, a crowdsourced cybersecurity company, to conduct a three-month programme in which four professional ethical hackers have been challenged to identify vulnerabilities in the interfaces associated with the HP original print cartridges. If any of the hackers are successful, HP will award up to $10,000 (€8,538) per vulnerability.
“Bad actors aiming to exploit printers with sophisticated malware pose an ever-present and growing threat to businesses and individuals alike,” said Shivaun Albright, HP Chief Technologist for Print Security. “Security features need to go beyond the hardware and include the cartridge for an end-to-end secure system that protects your network and information. HP is committed to staying ahead by expanding our Bug Bounty Programme and hiring some of the brightest cybersecurity experts across the globe to help us uncover potential risks so they can be fixed before any harm is done.”
Over the past few years, there’s been a rise in attacks of embedded system technologies, which are often shared across connected devices and include PC firmware/BIOS as well as printer firmware. Quocirca’s Print Security 2019 report revealed that 59% of businesses reported a print-related data loss in the past year. COVID-19 has only added new complexities, as many employees increased their remote printing practices, triggering even more potential vulnerabilities for their employers.
“Cyber breaches have increased in volume, complexity and impact, extending to embedded systems,” said Ashish Gupta, CEO of Bugcrowd. “This bug bounty programme gives HP the ability to stay ahead of attacks with access to researchers that are experts in printing technology. We have worked with HP for several years and are excited to serve as a force multiplier in their security strategy.”
HP had engaged in Bug Bounty programmes over the years to complement and extend the company’s own rigorous penetration testing. While ethical hacking is a widespread practice throughout the technology industry, HP has been a pioneer in expanding this programme to printers, an oftentimes overlooked attack vector. For example, in 2018, HP launched the industry’s first print security Bug Bounty Programme.
“HP has been a leader in print security for many years now, establishing new industry cybersecurity standards and garnering praise from third-party security testing labs for having some of the most secure printers,” said Mark Vena, senior analyst, Moor Insights & Strategies. “Leadership in this area, particularly focused on secure hardware features and a firmware-based approach with imaging devices, could not come at a better time.”
