What happens when someone discovers a security issue in a connected product? How do security researchers and others report a security issue? To gain better visibility into the current status of vulnerability disclosure practice in consumer companies providing connected products, the IoT Security Foundation (IoTSF) commissioned a research study.
The study was entitled: ‘Understanding the Contemporary Use of Vulnerability Disclosure in Consumer Internet of Things Product Companies’.
The research answers a fundamental question: how widely practised is vulnerability disclosure in the consumer IoT product domain? As part of this, the study asked at the company scale: Does it have a dedicated channel for vulnerability disclosure. Out of the 331 consumer product companies examined, which was performed during August 2018, only 32 had some form of online vulnerability disclosure scheme available for security researchers. Few of these companies (3) operated with a hard deadline of 90 days for fixes to reported issues.
About the findings, David Rogers, CEO of Copper Horse Solutions and IoTSF Board member, stated: “The data doesn’t lie, connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things. There is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.”
Best practice guidance and standards from multiple organisations advise that adopting the processes of Co-ordinated Vulnerability Disclosure should be a priority for all producers of connected products. The UK’s Department for Digital, Culture, Media & Sport (DCMS) Code of Practice for Consumer IoT security puts the implementation of a vulnerability disclosure policy second on its list of thirteen outcome-focused guidelines, which are widely considered good practice in IoT security.
John Moor, Managing Director, IoTSF, added: “We conducted this research to better understand the contemporary status of vulnerability disclosure policy in practice. It’s part of our mission to raise awareness and help improve the situation and we hope that by highlighting this subject area, and identifying companies in the report, we can make positive progress in the future. For any company making connected products, it is fundamental to understand the importance of disclosure policy and leverage the research community to help make safer connected products.”