The complexity of todays digital systems means that all but the simplest of systems will inevitably have security flaws – this is why PC’s and mobile apps get frequently patched for example. Large or small, all companies are likely to have to deal with security breaches at some point. Companies that have been doing business on the web for many years have learned how to cope with this, as the scale and consequences of attacks have gradually increased. Companies that are just starting to connect their products and services to the Internet (IoT) can quickly learn from that experience.

Your company will likely do all it can to avoid security issues as an IoT supplier or user. However the security flaws that exist in your systems are likely going to be found by third parties – including legitimate researchers. IoTSF therefore encourages you to make provision for third parties to make contact.

Having a published Vulnerability Disclosure Policy and a supporting process means you will have a clear method of responding to the discovery of a vulnerability in a way that preserves your customers’ privacy and safety. The alternative? It could be that the finder may choose to go somewhere else with their knowledge (including to the black market, to the press, to the stock market or to your competitors).

You can download the Best Practice Guidelines for free.

Users of the guidelines are encouraged to display the Best Practice User mark on marketing materials.

Updated to Release 1.1 / December 5th 2017