HP Inc. and Bugcrowd partnered to unveil the first ever printer-specific bug bounty program, according to a company announcement Tuesday, because any endpoint device could be subject to malicious intrusion. The program was designed to look for "obscure defects that could be used against HP customers," Ashish Gupta, CEO of Bugcrowd, told CIO Dive.
The companies want their invite-only researchers to hone in on activity on the firmware level, which includes CSRF, RCE and XSS, according to Gupta. The program requires its researchers to report found vulnerabilities to Bugcrowd and from there both companies will evaluate the submitted vulnerabilities. Based on a discovered flaw's severity, researchers can be rewarded anywhere between $500 and $10,000.
- Endpoint devices are an often neglected gateway to an organization's internal network and bad actors know this. The total number of printer-related vulnerabilities have grown by 21% in the last year, according to a Bugcrowd report. CISOs don't often get the chance to be involved in printer selections, according to the announcement, and the program is meant to add a layer of protection to decisions CISOs aren't a part of.
Once an endpoint device is invaded, "an attacker leverages to gain a foothold in that network and then [moves] laterally," according to Gupta. Even though the internet of things is growing at a much more rapid pace in the 21st century, Gupta and his brother were awarded their own bug bounty in the 1980s.
The brothers discovered an unsecured printer port, which could allow access to a mini-computer. Gupta used some of the money for college and still, years later, is unable to disclose the details of the now-resolved vulnerability.
Organizations in the U.S. are willing to shell out the most money for bounties, and hackers themselves earn almost one-fifth of all award money related to bounty programs. In the last year, consumers experienced attacks on the supply chain, where bad actors leveraged tools distributed by vendors to spread malicious content. HP has taken note of that.
A Security Advisory Board created by HP last year began with three external security experts leading its "reconnaissance team." Notably, the board's members were previously hackers.
By invoking this kind of team, it shows HP is working to embed security on every layer of its devices. This is an increasing trend for organizations, beyond hardware. Even DevOps engineers need to bring more security into their code.