HP launches Bug bounty program

Vulnerability researchers, here comes a must not be missed opportunity for you! HP Inc. has rolled a bug bounty program to felicitate researchers with a whopping sum between $500 and $10,000 for finding security flaws in a range of HP printers. Bugs found in the vendor’s Enterprise LaserJet machines and multi-function printer (MFPs), such as the A3 and A4 will also be acknowledged. The amount of the reward is based on the severity of the discovered vulnerabilities!

Keeping in mind the fact that printers are the weakest link in an organization and the vulnerabilities in these can be exploited to infect the entire chain in the network in various malicious campaigns; HP launches Bug Bounty program and announces its team venture with Bugcrowd on July 31st 2018.

Bugcrowd is a bug bounty platform that manages vulnerability disclosure programs and  uses crowdsourced model to find vulnerabilities.

In this private program, researchers will be sent the invite to join the program. The vulnerabilities discovered will have to be reported to Bugcrowd, who will verify the flaws and decide the reward price based on its severity.

Reason for embracing bug bounty programs:

A high number of printer vendors are embracing bug bounty programs for the following reasons:

1. Increasing shortage of cyber skilled professionals. By 2020, an estimated number of 1.5 million security positions are known to be left unfilled.
2. These programs have the ability to bring together thousands of brilliant minds in security researches to uncover high priority flaws that traditional assessment methods are incapable of achieving.
3. Rising vulnerabilities and rapidly changing computing environment with less cyber security professionals have left the vendors with no other alternative than rely on such bounty programs.
4. Also vendors are in a haste to find the vulnerabilities in their product before cyber criminals do.
5. Well-placed cash rewards prompt creative hackers to find hidden vulnerabilities in devices.

HP launches Bug bounty program – Why HP leverages Bugcrowd?

Bug Bounty programs aren’t new, but it’s the first of its kind for a printer company. Security concerns of Printers are often ignored by businesses which makes them inviting targets for cyber attacks. reasons behind HP leveraging Bugcrowd include:

1. 1. With the increase in corporate networks and expanding IoT (Internet of Things), cyber criminal activities are on heights to access important company data. Research reveals that IoT devices are among the top 5 critical attack surfaces including cloud environments, mobile devices, APIs, *86 serves, web font end systems.
   2. To ensure trusted delivery and resilient security, HP has leveraged this bug bounty platform.
   3. Over the past years printer vulnerabilities have jumped to 21% across the industry. One such vulnerability identified as CVE-2017-2750 was discovered in August 2017 that led hackers to carry out remote code execution attacks on enterprise-grade printers. Affected printers included:

• HP LaserJet Enterprise 800 color MFP M880
• HP Color LaserJet Enterprise M651,
• HP Color LaserJet Managed E65060,
• HP Color LaserJet Enterprise M652, among others

CVE-2017-2750 vulnerability summary:

The vulnerability is related to arbitrary code execution because of missing of DLL (Dynamic Link Library) files that result from insufficient DLL Signature validation.

What Does HP plan to improve Printer security?

The company plans to set up enterprise-class printers that will be accessed  by researchers remotely. The researchers will scrutinize printers to identify new as well as existing vulnerabilities.

Vulnerabilities unearthed via physical access are also allowed. There are incidents known where HP has cooperated with researchers by shipping them its devices when requested for the research program.

The company is however primarily focusing on remote attacks.

Hits: 159