HP Inc. is disclosing what it's calling the first bug bounty program for the print industry to date, bringing crowdsourced testing to the frequently overlooked area of printer security.
Palo Alto, Calif.-based HP has the largest worldwide market share for printer units sold, according to research firm IDC, and has touted its print security capabilities as a key differentiator from competitors in recent years.
HP is working with bug bounty platform Bugcrowd for its program, and is offering awards of between $500 and $10,000 per flaw--with the amount dependent on the severity of the vulnerability.
The bug bounty program should "deepen the perception that HP is serious about security," said Shivaun Albright, chief technologist of print security at HP, in an interview with CRN. "From a channel partner perspective, one of the things we've found is that security sells. Every purchase decision is a security decision."
HP's print bug bounty program is private and available by invite only. The program is focused on tapping researchers in Bugcrowd's community who can bring skills around embedded device security, and covers all HP enterprise print devices including A3 and A4 printers, according to Albright.
HP's print bug bounty program has been running since May, and researchers have uncovered several bugs since it began, Albright said. The program is being disclosed now just ahead of the Black Hat USA 2018 conference, which takes place Aug. 4-9 in Las Vegas.
HP is "already doing testing, and we are developing [printers] with security top of mind. But we want to go out there and see if there are any obscure defects that we missed," Albright said. "Any interface or exposure point where there's an opportunity to input unexpected data is a potential area [for hackers to target]."
Andrew Howard, CTO at Phoenix-based solution provider Kudelski Security, said that HP's print bug bounty program is good news for the industry. Printers are appealing to hackers due to their broad network access and the tendency for printers to be left unsecured, he said.
"The printer of today is not the printer of 10 years ago," Howard said in an interview with CRN. "These are full-fledged computers. They're a valid attack vector. And printers are often overlooked, especially by less-mature organizations."
The fact that HP is running a bug bounty program for its printer line also bodes well for the current security standing of its products, he said.
"Typically, when you see bug bounty programs [from a vendor], that means they have a lot of confidence in their product," Howard said.
"I'm happy to see that HP views security as a differentiator for their product. I wish more companies would take that approach," he added.
HP includes security technologies in its commercial printers such as Sure Start, which provides self-healing for the device's BIOS from issues such as malware and corruption. Sure Start also offers runtime intrusion detection to pinpoint changes to BIOS code in runtime memory.
Meanwhile, last September, HP announced the addition of several notable security researchers to the HP Security Advisory Board, which provides input to HP's leadership and security teams.