HP will give you $10,000 to hack your printer

Researchers can earn up to $10,000 for issues which allow attackers to target you through your printer.
Written by Charlie Osborne, Contributing Writer

HP hopes to entice researchers with a $10,000 reward for finding vulnerabilities in printers.

The tech giant revealed the new bug bounty program on Tuesday.

The scheme, which is launching as a private bug bounty, is tailored specifically for HP printer hardware. While many of us use home printers simply for printing the occasional document or photo, in the enterprise, these devices are often found in a network.

If there is a weak link in business networks, a single device -- whether it be a printer or smart air conditioning system -- can be exploited to compromise a wider network system.

CNET: Get an HP Envy x360 Core i7 convertible for $680

Printers, especially if they are overlooked when it comes to firmware updates or upgrades, can become such avenues to exploit.

According to research undertaken by Bugcrowd, "2018 State of Bug Bounty Report," endpoint devices are becoming a tantalizing target for threat actors, with a 21 percent increase in total endpoint bugs reported over the past 12 months.

In partnership with bug bounty platform Bugcrowd, HP says it is the "only vendor" to launch a printer-only vulnerability disclosure scheme.

Under the terms of the program, researchers can earn between $500 and $10,000 per legitimate find.

Speaking to ZDNet, an HP spokesperson said:

"We're challenging researchers to search for obscure defects that could be used against our customers.
We're providing researchers with remote access to a set of Enterprise Multifunction printers and invited researchers to focus on the potential for malicious actions at the firmware level including CSRF, RCE, and XSS."

If a security vulnerability has already been discovered internally by the company but once more reported by a researcher, HP says that it may issue a reward based on good faith.

TechRepublic: Long battery life, extra security make HP convertible PC good option for business travelers

"For years, the conversation about cybersecurity has focused on software and networking," said Shivaun Albright, HP's Chief Technologist of Print Security. "Today, bad actors are targeting endpoint devices. Protecting connected devices, like printers, at the edge of the network has become paramount."

The bug bounty program will run indefinitely. Eventually, HP plans to extend the bug bounty to its PC lineup.

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards