Recently, HP has expanded its bug bounty program to cover the flaws in printers, and with this bug bounty program, HP wants to concentrate, especially on office-class print cartridge safety vulnerabilities. And this program is private, which means that everyone can’t join this program.
The program underscores HP’s dedication to delivering defense-in-depth beyond its all aspects of printing, which includes supply chain, cartridge chip, cartridge packaging, firmware, and printer hardware.
However, the security researchers who are requested by the HP have been notified to focus on firmware-level vulnerabilities, which also includes remote code execution, cross-site request forgery (CSRF), as well as the cross-site scripting (XSS) bugs.
The highlights that have been disclosed by this security vulnerability are mentioned below:-
- This New Bug Bounty program intends to identify possible uncertainties in office-class print cartridges.
- The ethical hackers have a chance to identify the vulnerabilities in the interfaces among the printers and the HP Original Ink and Toner cartridges.
- HP will grant up to $10,000 for vulnerabilities detected.
- Underscores HP’s proceeded commitment to engineering the world’s most reliable and secure printing systems.
HP Expands Bug Bounty Program
The bug bounty program presently covers HP’s LaserJet Enterprise printers and MFPs (A3 and A4), also the HP PageWide Enterprise printers and MFPs (A3 and A4).
In this new expand HP has joined with Bugcrowd to administer a three-month program in which four licensed white hat hackers have been appointed to recognize all possible vulnerabilities in HP Original print cartridges.
If any of the hackers get the victory in this task, then HP will award a reward of $10,000 per vulnerability in an increase to their base fee. HP had been involved in Bug Bounty programs over the years to complement and enlarge the company’s own accurate penetration testing.
The white hat hacking is a widely used method throughout the technology industry, and HP is one of the entities that is doing the same by using its bug bounty program to develop its printers. Not only this but most of the time, HP overlooks the attack vector.
That’s why to avoid the potential attack vectors; HP guides how reprogrammable microcontrollers on printer cartridges can be renewed to add new firmware with ill-disposed code. All these cartridges could then be injected into the imitation-cartridge supply chain to be remitted to an inexperienced target.
In one of their report, HP affirmed that recently they are engaged with 34 security researchers, and this program incorporates only endpoint devices like printer-related web domains that are out of scope and a focus on print firmware.
We all know that day by day, the security attacks are increasing rapidly, and this time any connected devices can display an avenue of attack for hackers. All it requires proper dedication and intense research and subsequent investment.
That’s why HP is committed to persevering their focused and rigorous testing, privately as well as with third-party experts, for better protection of their customers and partners.