20.5k unique visitors in the last 3 days

IoT Security Foundation Reviews Worldwide Adoption of Vulnerability Disclosure Policies

UK retailers lead, US retailers lag when it comes to stocking networked consumer devices supplied by businesses with responsible security policies.

Credit for this installment of policywatch goes to Mark Neve and David Rogers of Copper Horse on behalf of the Internet of Things Security Foundation (IoTSF). As in previous years, they have reviewed the extent to which vulnerability disclosure policies for networked devices have been adopted worldwide. Their seventh annual review of this topic highlights some overall progress, but most manufacturers still do not offer a channel for independent security researchers to communicate the vulnerabilities they have identified. Now you may be worried that your networked toothbrush, your networked refrigerator and your networked lightbulbs have all been hacked and used to spy upon you.

But before we examine their findings it is worth highlighting one key aspect of their work that makes it immediately superior to the vast majority of assertions made about networked fraud. All of the data used to compile their report is available for researchers to scrutinize per a Creative Commons 4.0 license. This has two important advantages:

  • The conclusions for policy are separated from the data that is supposed to justify those conclusions. Multiple independent reviewers can draw their own conclusions from the same data, reducing the danger that biased or otherwise flawed reasoning will affect decisions about the policies that are ultimately adopted.
  • Making the data public gives researchers more motivation to avoid mistakes and justify their reasoning.

So the good news is that you can check the data yourself if you disagree with the following findings from the report.

  • British retailers lead the way by mostly stocking IoT products by suppliers that have responsible vulnerability disclosure policies. For example, 90 percent of IoT products stocked by leading British retailer John Lewis are made by businesses that meet the IoTSF’s expectations. The British lead in this arena is hardly surprising. British legislators have acted upon the advice of experts in order to promote IoT security, including the demand that independent security researchers can communicate the vulnerabilities they discover. Several businesses now talk openly about how they comply with the UK’s Product Security and Telecommunications Infrastructure Act.
  • US retailers have slightly improved since last year, but continue to lag behind the UK. The relevant statistics are dragged down by Walmart, the US retail giant. Just 27.6 percent of the IoT products stocked by Walmart are made by businesses that offer independent researchers a way to communicate the security failings they have identified. That the US is behind with protecting consumers is also unsurprising. The US policy for improving IoT security concentrates much more on purchasing decisions made by government and its agencies instead of setting expectations to protect ordinary people.
  • IoT manufacturers worldwide are getting better at publishing vulnerability disclosure policies, but progress remains slow. Of the 458 companies that were reviewed, slightly over one-third have a policy.
  • Different categories of IoT product exhibit a big disparity in the respect that manufacturers show for security. As with previous years, networked products for lighting, health and fitness are amongst the worst. More shockingly, there are low levels of respect for vulnerability disclosure from manufacturers of security products and smart home products. Keep that in mind when contemplating whether you will be safer by adding a networked doorbell to your home.

Credit goes to Californian cybersecurity firm HackerOne for sponsoring the report without trying to influence its contents. Sometimes it is possible to support good impartial research without insisting on a predetermined conclusion. This reflects the more mature expectations that shape tech security research compared to the lackadaisical attitudes found in the domain of fraud management.

The State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2024 is freely available, without the need to register, from here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email