HP will pay hackers up to $10,000 to break its printers

This is for every time the printer’s told you it’s out of toner.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
HP Officejet Pro 8600 Plus e-All-in-One Printer

HP is asking researchers to hack its printers.

Sarah Tew/CNET

It's the "Office Space" fantasy come true. Well, kind of.

HP isn't asking people to smash its printers to pieces, but the company is willing to pay people to break its software apart.

On Tuesday, HP announced its first bug bounty program that specifically targets its printers, offering as much as $10,000 to hackers who can find vulnerabilities on its machines.

Bug bounties are a common way for companies to find security flaws, with payouts as high as $100,000 for serious vulnerabilities. Hackers have been able to make a full-time job breaking software and reporting bugs before the vulnerabilities are used maliciously. Companies such as Google and Facebook have turned to bug bounties as a way to bolster their security.

HP quietly started its program in May with 34 researchers signing up. It has already paid $10,000 to a hacker who found a serious flaw with its printers, Shivaun Albright, the company's chief technologist for printer security, said in an interview last week.  

The company is focused on printer security because of the vulnerabilities of internet of things devices, she said. While there's a heavy focus on connected devices and their security flaws, it's often on web cameras, smart televisions or lightbulbs, not printers, Albright said.

But printers might be the oldest and most common IoT device a person owns, the HP technologist noted.

"They've been around for a long time, even before the term 'IoT' was out there," she said. "The issue is, why do customers not consider printers as IoT?"

It isn't like printers are immune to attacks.

In 2016, the Mirai botnet -- a massive network of hacked devices used to wreak havoc online -- caused a major web outage that took down popular sites like Twitter, Netflix and Reddit. The botnet used hacked IoT devices, like webcams and DVRs, but printers were also a part of that mix, Albright said.

HP's bug bounty program will be run through Bugcrowd, a platform that facilitates payouts and invites. The program is currently private, with Bugcrowd handling which researchers are invited to join. Albright said HP is interested in making it public in the future, but is keeping it closed for now to better manage incoming vulnerabilities.

The invited researchers have remote access to 15 printers, which are isolated in HP's offices. From their computers at home, they can poke at and pry into these machines to find hidden vulnerabilities.

For a $10,000 payout, Albright said, the researcher would have to find serious flaws like remote code execution, which would allow an attacker to take complete control of the printer.

If they find and report any flaws, HP will pay them for the discovery and then set out to fix it upon its next update.

"We're fixing these issues very quickly and turning them around so they're not found in the wild," Albright said. 

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.