{"id":9936,"date":"2018-11-29T03:00:05","date_gmt":"2018-11-29T03:00:05","guid":{"rendered":"https:\/\/www.engineernewsnetwork.com\/blog\/?p=9936"},"modified":"2018-11-28T11:47:34","modified_gmt":"2018-11-28T11:47:34","slug":"less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines","status":"publish","type":"post","link":"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/","title":{"rendered":"Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines"},"content":{"rendered":"<p>What happens when someone discovers a security issue in a connected product?<\/p>\n<p>Whether it is a fitness tracker, WiFi speaker, pet monitor, home robot or even a fridge-freezer, how do security researchers and others report a security issue?<\/p>\n<p>To gain better visibility into the current status of vulnerability disclosure practice in consumer companies providing connected products, the IoT Security Foundation (IoTSF) commissioned a research study entitled: Understanding the Contemporary Use of Vulnerability Disclosure in Consumer Internet of Things Product Companies.<br \/>\n<script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<ins class=\"adsbygoogle\" style=\"display: block; text-align: center;\" data-ad-layout=\"in-article\" data-ad-format=\"fluid\" data-ad-client=\"ca-pub-7565662001938327\" data-ad-slot=\"7585079586\"><\/ins><br \/>\n<script>\n     (adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><br \/>\nThe research answers a fundamental question: how widely practiced is vulnerability disclosure in the consumer IoT product domain?<\/p>\n<p>As part of this, the study asked at the company scale: Does it have a dedicated channel for vulnerability disclosure.<\/p>\n<p>Out of the 331 consumer product companies examined, which was performed during August 2018, only 32 had some form of online vulnerability disclosure scheme available for security researchers. Few of these companies (3) operated with a hard deadline of 90 days for fixes to reported issues.<\/p>\n<p>About the findings, David Rogers, CEO of Copper Horse Solutions and IoTSF Board member says: \u201cThe data doesn\u2019t lie \u2013 connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things.<\/p>\n<p>\u201cThere is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.\u201d<\/p>\n<p>Best practice guidance and standards from multiple organisations advise that adopting the processes of Co-ordinated Vulnerability Disclosure should be a priority for all producers of connected products.<\/p>\n<p>The UK\u2019s Department for Digital, Culture, Media &amp; Sport (DCMS) Code of Practice for Consumer IoT security puts the implementation of a vulnerability disclosure policy second on its list of 13 outcome-focused guidelines, which are widely considered good practice in IoT security.<\/p>\n<p>\u201cWe conducted this research to better understand the contemporary status of vulnerability disclosure policy in practice,\u201d says John Moor, Managing Director, IoTSF. \u201cIt\u2019s part of our mission to raise awareness and help improve the situation and we hope that by highlighting this subject area, and identifying companies in the report, we can make positive progress in the future. For any company making connected products, it is fundamental to understand the importance of disclosure policy and leverage the research community to help make safer connected products.\u201d<\/p>\n<p>To read the report in full, click <span class=\"highlight highlight-blue\"><a href=\"http:\/\/www.iotsecurityfoundation.org\/best-practice-guidelines\" target=\"_blank\" rel=\"noopener\">HERE<\/a><\/span>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What happens when someone discovers a security issue in a connected product? Whether it is a fitness tracker, WiFi speaker, pet monitor, home robot or even a fridge-freezer, how do security researchers and others report a security issue? To gain better visibility into the current status of vulnerability disclosure practice in consumer companies providing connected &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[199],"tags":[5328,5326,5261,709,5327],"class_list":["post-9936","post","type-post","status-publish","format-standard","","category-news-views-and-opinion","tag-connected-products","tag-iot-security-foundation","tag-iotsf","tag-security","tag-vulnerability-disclosure-guidelines"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines - Engineer News Network<\/title>\n<meta name=\"description\" content=\"New IoTSF research identifies poor security practice of producers of connected products\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines - Engineer News Network\" \/>\n<meta property=\"og:description\" content=\"New IoTSF research identifies poor security practice of producers of connected products\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/\" \/>\n<meta property=\"og:site_name\" content=\"Engineer News Network\" \/>\n<meta property=\"article:published_time\" content=\"2018-11-29T03:00:05+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/#\\\/schema\\\/person\\\/4477342aea8e299c6a21761e513ea8e1\"},\"headline\":\"Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines\",\"datePublished\":\"2018-11-29T03:00:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\\\/\"},\"wordCount\":448,\"keywords\":[\"connected products\",\"IoT Security Foundation\",\"IoTSF\",\"security\",\"Vulnerability Disclosure guidelines\"],\"articleSection\":[\"News, Views and Opinion\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\\\/\",\"url\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\\\/\",\"name\":\"Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines - Engineer News Network\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/#website\"},\"datePublished\":\"2018-11-29T03:00:05+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/#\\\/schema\\\/person\\\/4477342aea8e299c6a21761e513ea8e1\"},\"description\":\"New IoTSF research identifies poor security practice of producers of connected products\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/\",\"name\":\"Engineer News Network\",\"description\":\"The ultimate online news and information resource for today's engineer\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/#\\\/schema\\\/person\\\/4477342aea8e299c6a21761e513ea8e1\",\"name\":\"admin\",\"url\":\"https:\\\/\\\/www.engineernewsnetwork.com\\\/blog\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines - Engineer News Network","description":"New IoTSF research identifies poor security practice of producers of connected products","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/","og_locale":"en_GB","og_type":"article","og_title":"Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines - Engineer News Network","og_description":"New IoTSF research identifies poor security practice of producers of connected products","og_url":"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/","og_site_name":"Engineer News Network","article_published_time":"2018-11-29T03:00:05+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/#article","isPartOf":{"@id":"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/"},"author":{"name":"admin","@id":"https:\/\/www.engineernewsnetwork.com\/blog\/#\/schema\/person\/4477342aea8e299c6a21761e513ea8e1"},"headline":"Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines","datePublished":"2018-11-29T03:00:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/"},"wordCount":448,"keywords":["connected products","IoT Security Foundation","IoTSF","security","Vulnerability Disclosure guidelines"],"articleSection":["News, Views and Opinion"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/","url":"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/","name":"Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines - Engineer News Network","isPartOf":{"@id":"https:\/\/www.engineernewsnetwork.com\/blog\/#website"},"datePublished":"2018-11-29T03:00:05+00:00","author":{"@id":"https:\/\/www.engineernewsnetwork.com\/blog\/#\/schema\/person\/4477342aea8e299c6a21761e513ea8e1"},"description":"New IoTSF research identifies poor security practice of producers of connected products","breadcrumb":{"@id":"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.engineernewsnetwork.com\/blog\/less-than-10-of-consumer-iot-companies-follow-vulnerability-disclosure-guidelines\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.engineernewsnetwork.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Less than 10% of consumer IoT companies follow Vulnerability Disclosure guidelines"}]},{"@type":"WebSite","@id":"https:\/\/www.engineernewsnetwork.com\/blog\/#website","url":"https:\/\/www.engineernewsnetwork.com\/blog\/","name":"Engineer News Network","description":"The ultimate online news and information resource for today's engineer","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.engineernewsnetwork.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/www.engineernewsnetwork.com\/blog\/#\/schema\/person\/4477342aea8e299c6a21761e513ea8e1","name":"admin","url":"https:\/\/www.engineernewsnetwork.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.engineernewsnetwork.com\/blog\/wp-json\/wp\/v2\/posts\/9936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.engineernewsnetwork.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.engineernewsnetwork.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.engineernewsnetwork.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.engineernewsnetwork.com\/blog\/wp-json\/wp\/v2\/comments?post=9936"}],"version-history":[{"count":1,"href":"https:\/\/www.engineernewsnetwork.com\/blog\/wp-json\/wp\/v2\/posts\/9936\/revisions"}],"predecessor-version":[{"id":9937,"href":"https:\/\/www.engineernewsnetwork.com\/blog\/wp-json\/wp\/v2\/posts\/9936\/revisions\/9937"}],"wp:attachment":[{"href":"https:\/\/www.engineernewsnetwork.com\/blog\/wp-json\/wp\/v2\/media?parent=9936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.engineernewsnetwork.com\/blog\/wp-json\/wp\/v2\/categories?post=9936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.engineernewsnetwork.com\/blog\/wp-json\/wp\/v2\/tags?post=9936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}