November 4th, 2021: New Report on Industry Adoption of Vulnerability Disclosure Practice Published.

The IoT Security Foundation has published its 4th report which examines the practice of vulnerability disclosure in Consumer IoT – with an extension into enterprise and the B2B model.

The report is seen as a cybersecurity progress barometer of the sector in general, as vulnerability disclosure – or advertising a public channel where security flaws can be reported and then fixed – is a considered a basic hygiene mechanism for any firm selling into a connected market.

Despite small year-on-year improvements, progress remains glacial.

Consumer IoT Vulnerability Practice Trend 2021

“Our common goal is to have 100% of connected-product (IoT) vendors practicing good security hygiene – achieving a mere 21.6% in the age of digital transformation simply supports the call for market regulation.”

Unacceptably low “… almost 4 out of 5 companies are still failing to provide the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed.”

The report breaks the results down further and applies an ‘extended threshold’ test (which was introduced in report 3) to sort companies that would likely meet anticipated regulations. The report finds that only 6.7% (21) of the cohort of firms identified meet the extended-threshold criteria meaning the 21.6% figure may be deceptively high.

Report contains more than the reported numbers

Included in the report is a commentary on new developments within the practice of vulnerability disclosure including the use of /security, security.txt, bug bounties, proxy services and policy generation tools.

The report also allocates firms into a set of lists  – separated into:

  • Green list: met the extended threshold test
  • Amber list: met the basic threshold test but did not meet the extended threshold test
  • Red list: did not meet the basic threshold test

Given the lack of progress from vendors the report concludes:

“We therefore see the introduction of international baseline regulation in this space as a welcome development.”

The report – The Contemporary Use of Vulnerability Disclosure in IoT, Report 4 November 2021 – can be downloaded free, and without registration from the Publications Page on the IoTSF website.

CVD Use Report 4 November 2021

The Contemporary Use of Vulnerability Disclosure in IoT, Report 4 November 2021 – full report can be downloaded from the Publications Page.