The initial craze for networked fridges, toys and toothbrushes has calmed since its peak but the privacy threat posed by the Internet of Things (IoT) remains. The eighth annual vulnerability disclosure review by the IoT Security Foundation arrived later than usual, only being released in January 2026 as the authors at Copper Horse delayed publication to see the draft standards for the European Union’s Cyber Resilience Act. Their report was worth waiting for, with good news about the security policies of the most prominent manufacturers of IoT devices. However, consumers still need to be wary, especially when browsing on Amazon. Here are five takeaways from the report, The State of Vulnerability Disclosure Policy Usage in Global Consumer IoT in 2025.
More Manufacturers Have a Responsible Policy on Vulnerability Disclosure
Security researchers will find vulnerabilities in products, but do they have a way of telling the manufacturer about the weaknesses they have identified? There has been an improvement in the number of manufacturers with an explicit policy for how security researchers should communicate their findings, which now stands at 40.5% of manufacturers reviewed compared to 35.6% a year before. As a general rule, the bigger manufacturers are more likely to have responsible security policies, which also means the most popular products will tend to be more trustworthy. On the other hand, it would take until 2040 to obtain 100% compliance at the current rate of progress.
A Big Improvement by Retailers Compared to Last Year
The average consumer will not pay attention to whether an IoT manufacturer has a responsible security disclosure policy so it is up to retailers to be mindful when choosing whose products they will stock. British retailers continue to set a world-leading example, with John Lewis, Currys and Argos only stocking IoT devices from manufacturers with policies that meet the expectations of the IoT Security Foundation. European retailers have significantly improved, with 80% compliance among IoT products stocked by Cdiscount, ePrice, Media Markt and El Corte Ingles. There was also a big improvement by the previous laggards in the USA, and especially by Walmart, which has leapt from having stock that was 27.6% compliant in 2024 to 73.3% compliant in the latest report.
Be Cautious When Purchasing from Amazon
Amazon makes it possible for consumers to purchase goods from a wider range of manufacturers, including some of the cheaper firms that would never be on the shelves of bricks-and-mortar stores. The consequence is that the proportion of IoT suppliers with responsible security policies is lower on Amazon than any of the other retailers reviewed this year. Amazon UK compliance did improve from 47% to 60%, but that still means consumers accept considerably more risk when ordering some of the cheaper products available.
An Acceleration of European Expectations?
While the organic adoption of vulnerability disclosure policies has been slow worldwide, the Cyber Resilience Act may prompt more rapid change within the European Union. The Act will impose basic requirements for vulnerability disclosure when it comes into force. The technical standards for the Cyber Resilience Act are still only in draft, and there remains some confusion about how to satisfy its requirements, not least because it is so hard to obtain a copy of the draft standards. These standards do not appear to have been written with much input from the community of security researchers. Nevertheless, the existence of the Act will have encouraged large European retailers to become more discerning about the products they choose to stock.
The Two Halves of the Consumer IoT Market
The writers of this report identify a clear divide among the businesses that make and sell IoT products.
The majority of retailers examined for this research now stock products from manufacturers with vulnerability disclosure policies, which is an extremely good marker for increased overall security and can be seen as a positive reflection on both those manufacturers and the retailers themselves, probably synonymous with high-quality digital products. This also indicates that the manufacturers that consumers gravitate towards (generating a high volume of sales) are taking vulnerability disclosure seriously. It means that ultimately, purchasers of connected consumer products from major retailers are demonstrably being better protected.
It remains that over half of the manufacturers in this dataset do not have any method for security researchers to contact them if they discover an issue in a product. This market situation continues to be inadequate, considering that legislation and regulation is in place in some parts of the world and in others is imminent. The EU Cyber Resilience Act will not take full effect until 2027. By this time manufacturers that wish to sell products in the EU will be required by law to have a coordinated vulnerability disclosure policy or face fines or potential removal from the market. It is concerning to see so many manufacturers persist in not adopting what is quite a simple security mechanism to implement. That’s just the part that is visible to the public, what about the security of the products themselves? The insecurity canary is singing loud about these manufacturers.
The State of Vulnerability Disclosure Policy Usage in Global Consumer IoT in 2025 is available free of charge and without the need to register from the IoT Security Foundation’s downloads page.
