HP launched what it is calling the industry's first printer bug bounty program and is offering payouts ranging from $500 to $10,000.
The program is private and those who have been invited to participate have been instructed to focus on firmware-level vulnerabilities, including remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs, all of which and should be reported to Bugcrowd, according to the firm's release.
Bugcrowd will then verify the vulnerabilities and reward researchers accordingly. The program currently covers HP LaserJet Enterprise printers and MFPs and will also offer good-faith payments to vulnerabilities that HP has already found and.
“HP's initiative is a nod to the fact that security threats go beyond computers to include any device connected to a network,” ESET researcher Tomáš Foltýn said about the bounty program. “Indeed, internet-connected printers can be a serious security liability. Attackers can not only steal sensitive data from them or coerce printers into revealing users' administrator passwords, but they can also use the devices as jumping-off points for further compromises of networks.”
Foltýn added that printers can also be exploited to become botnets such as in the Mirai attacks.