Vulnerability Disclosure Policy of IoT Vendors

The IoT Security Foundation published its “Contemporary Use of Vulnerability Disclosure in IoT” report for the 4th consecutive year. The 2021 edition explored whether the 315 companies observed – providers of B2C (266 companies) and B2B (49 companies) IoT products – comply with the requirements of ETSI 303 645 and ISO/ IEC 29147:2018 vulnerability disclosure standards and provide

  1. information for the reporting of issues, and
  2. a timeline for acknowledging receipt of the information provided by the security researcher together with status updates until the reported issue has been resolved.

Only 21.6% of the companies observed (68/315) have a publicly available vulnerability disclosure policy and a formal reporting system. While this number remains low, it still increased from the year before. Even lower is the share of companies, which provide timeline information: just a mere 6.7% (21/315).

This ratio is certainly expected to rise, as legislation is imminent in the EU and the UK, which will accelerate the adoption of vulnerability disclosure more widely.

You can download the full IoT Security Foundation report, with more details, here.

Leave a Reply

6 + twelve =