Crazy! Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines
New IoTSF research identifies poor security practice of producers of connected products
Release Date: December 13, 2018
What happens when someone discovers a security issue in a connected product? Whether it is a fitness tracker, WiFi speaker, pet monitor, home robot or even a fridge-freezer, how do security researchers and others report a security issue? To gain better visibility into the current status of vulnerability disclosure practice in consumer companies providing connected products, the IoT Security Foundation (IoTSF) commissioned a research study entitled: Understanding the Contemporary Use of Vulnerability Disclosure in Consumer Internet of Things Product Companies.
The research answers a fundamental question: how widely practiced is vulnerability disclosure in the consumer IoT product domain? As part of this, the study asked at the company scale: Does it have a dedicated channel for vulnerability disclosure. Out of the 331 consumer product companies examined, which was performed during August 2018, only 32 had some form of online vulnerability disclosure scheme available for security researchers. Few of these companies (3) operated with a hard deadline of 90 days for fixes to reported issues.
About the findings, David Rogers, CEO of Copper Horse Solutions and IoTSF Board member says: “The data doesn’t lie – connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things. There is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.”
Best practice guidance and standards from multiple organisations advise that adopting the processes of Co-ordinated Vulnerability Disclosure should be a priority for all producers of connected products. The UK’s Department for Digital, Culture, Media & Sport (DCMS) Code of Practice for Consumer IoT security puts the implementation of a vulnerability disclosure policy second on its list of thirteen outcome-focused guidelines, which are widely considered good practice in IoT security.
“We conducted this research to better understand the contemporary status of vulnerability disclosure policy in practice,” says John Moor, Managing Director, IoTSF. “It’s part of our mission to raise awareness and help improve the situation. Over 90% of the companies we looked at do not have an easy to identify vulnerability reporting channel – in a hyper-connected world this is crazy. Progress needs to be made and we hope that by highlighting this subject area, and publishing companies in the report, we can improve the sitation in the future. For any company making connected products, it is fundamental to understand the importance of disclosure policy and leverage the research community to help make safer connected products.”