The Slow March of Progress: Unpacking IoT Vendors’ Approach to Vulnerability Disclosure Policies

The advancement of IoT providers in simplifying the process for security experts to report security glitches is sluggish, with just over a quarter (27.1%) of manufacturers providing a policy for disclosing vulnerabilities.

The statistic is taken from the most recent yearly report by the IoT Security Foundation (IoTSF). It’s a stark contrast to the 9.7% of IoT (Internet of Things) providers that were cited as having a disclosure policy in the 2018 version of the same research.

INTRODUCTION The IoT Security Foundation has initiated a platform for the exposure of potential security weaknesses, specifically

Managing vulnerabilities should be a fundamental aspect of security for interconnected devices, as suggested in 30 cybersecurity advisory programs, which includes the IoT Security Assurance Framework by IoTSF.

Plain and simple, communication about security problems is crucial for maintaining the security lifecycle. If vendors neglect the recommended guidelines, they stand a chance of violating the recent UK laws.

The United Kingdom’s Product Security and Telecoms Infrastructure was officially passed into law in the early part of December 2022. This legislation mandates that those who manufacture, import, or distribute IoT devices must provide a policy for disclosing vulnerabilities. Suppliers who fail to comply with these regulations could face serious consequences, including sanctions and daily fines up to £20,000 in extreme situations.

Stay updated with the most recent news on policies regarding vulnerability disclosure

The most recent research by IoTSF was conducted through an assessment of the practices of 332 businesses that market IoT products targeted at consumers. This evaluation, executed by Copper Horse, a consultancy firm specialized in mobile and IoT security, examined security measures related to an array of products such as tablets, routers, smart home lighting systems, and smart speakers.

Asian providers generally outperformed in setting up vulnerability disclosure initiatives, with their European counterparts lagging considerably (34.7% compared to 14.5%, respectively).

Laurie Mercer, who holds a senior position in security engineering at HackerOne, emphasized the significance of being aware of security flaws in products and services via a Vulnerability Disclosure Policy (VDP). She considers it a vital method to detect and rectify such issues during the product’s security lifecycle.

“Customers are progressively expecting their providers to implement this optimal strategy, however, the study indicates that it’s not yet a widespread routine.”

Heightened oversight

Legislators worldwide are aiming to implement rules that compel IoT providers to enhance the security of their products. For instance, in the US, the IoT Cybersecurity Improvement Act (2020) has been put into effect by lawmakers.

The proposed European Cyber Resilience Act encompasses comparable areas.

Copper Horse’s chief executive, David Rogers, voiced to The Daily Swig, “There’s a growing push to make it compulsory – it begs the question once more, why aren’t businesses recognizing this? The signs are clearly visible!”

Rogers emphasized, “Despite the looming prospect of new laws, a worrying level of indifference is observed among manufacturers. This apathy translates into a significant risk for users in terms of the security of IoT devices.”

In the course of their investigation, the scholars noticed a surge in the utilization of the ‘/security’ contact page, the employment of machine-interpretable ‘security.txt’ files, and a slight drop in the use of PGP keys for safe submissions.

The study also revealed a growth in the number of suppliers updating their protocols, and an uptick in corporations utilizing an external ‘proxy service’ for the upkeep and hosting of their policies.

Optimal Approach

However, the report isn’t entirely filled with negative outcomes. It pointed out instances where certain vendors demonstrated commendable practices.

Rogers pointed out, “Certain businesses and sectors have begun to demonstrate significant improvements. Notable instances can be seen in the automobile industry, like the Volkswagen Group, which has entirely revamped their strategies in a commendable manner.

“I believe these businesses can serve as a role model to their counterparts by demonstrating that it is possible to collaborate with the security research community devoid of any power struggles.”

It would be beneficial for suppliers to implement a safe harbor policy. This is a legal structure that permits ethical hackers to search for vulnerabilities in systems without fearing legal issues or possible charges. LG, to illustrate, employs a safe harbor policy for its IoT devices.

Expanding the scope, the IoTSF report applauds 34 providers that “satisfy or surpass the forthcoming legislative requirements,” as per the evaluation of their regulations by Copper Horse’s security experts. The recognized companies include Bosch, BT, Canon, Huawei, LG, Logitech, Microsoft, Peloton, Samsung, and Wink.

Site Footer