HP is disclosing what it's calling the first bug bounty program for the print industry to date, bringing crowdsourced testing to the frequently overlooked area of printer security.
The PC and print hardware vendor has the largest worldwide market share for printer units sold, according to research firm IDC, and has touted its print security capabilities as a key differentiator from competitors in recent years.
HP is working with bug bounty platform Bugcrowd for its program, and is offering awards of between US$500 and US$10,000 per flaw, with the amount dependent on the severity of the vulnerability.
The bug bounty program should "deepen the perception that HP is serious about security," said Shivaun Albright, chief technologist of print security at HP, in an interview with CRN USA.
"From a channel partner perspective, one of the things we've found is that security sells. Every purchase decision is a security decision."
HP's print bug bounty program is private and available by invite only. The program is focused on tapping researchers in Bugcrowd's community who can bring skills around embedded device security, and covers all HP enterprise print devices including A3 and A4 printers, according to Albright.
HP's print bug bounty program has been running since May, and researchers have uncovered several bugs since it began, Albright said. The program is being disclosed now just ahead of the Black Hat USA 2018 conference, which takes place from 4-9 August in Las Vegas.
HP is "already doing testing, and we are developing [printers] with security top of mind. But we want to go out there and see if there are any obscure defects that we missed," Albright said. "Any interface or exposure point where there's an opportunity to input unexpected data is a potential area [for hackers to target]."
HP includes security technologies in its commercial printers such as Sure Start, which provides self-healing for the device's BIOS from issues such as malware and corruption. Sure Start also offers runtime intrusion detection to pinpoint changes to BIOS code in runtime memory.