IoT Security Foundation survey highlights lack of vulnerability reporting

An analysis of the 330 companies involved found that five out of six (86.7%, 286) don’t allow for such reporting, which would see them fall foul of new international standards.

And among many of the 13% that are implementing a vulnerability reporting policy many water it down in some way, says the organisation.

Perhaps surprisingly, Europe is identified as one of the worst performing regions, despite UK laws and ETSI standards.

You can download the detailed findings – the Consumer IoT: Understanding the Contemporary Use of Vulnerability Disclosure – 2020 Progress Report – from this resource centre for best practice guidelines.

The main conclusion is that industry adoption of vulnerability disclosure remains a prime concern.

“Implementing a vulnerability disclosure process is of crucial importance for a number of stakeholder interests and it is one of the simplest security measures companies can install.”

While – since the last survey – the proportion of companies with public policies has increased from just under 10% to just over 13%, this can only be described as ‘poor performance’ say the writers.

“Ideally, all providers of IoT products and services should have a process for vulnerability disclosure. Reaching an acceptable global level (t.b.d but as close to 100% as possible) at the current rate of progress remains elusive in the absence of strong incentives. A number of government agencies and institutions such as the IoT Security Foundation have advocated for firms to implement disclosure policy mechanics as a fundamental and basic hygiene measure.”

“The drive towards normalisation, standardisation and ultimately regulation of vulnerability disclosure is therefore, a natural course as the market and industry mature. The only open question now is ‘when will it be legally mandated?’”