Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


IoT Security

IoT Security Foundation Launches Vulnerability Reporting Platform

The Internet of Things Security Foundation (IoTSF), an effort aimed at improving the security of IoT, has launched an online platform designed to make the reporting of vulnerabilities in IoT devices easier.

The Internet of Things Security Foundation (IoTSF), an effort aimed at improving the security of IoT, has launched an online platform designed to make the reporting of vulnerabilities in IoT devices easier.

Launched alongside a new report into coordinated vulnerability disclosure, the Consumer Internet of Things Vulnerability Disclosure Platform ( is catered to both security researchers and manufacturers, seeking to ensure coordinated vulnerability disclosure management and reporting.

The platform provides automated communications and vulnerability management, and helps organizations get the support they need throughout the entire vulnerability reporting and response process. Resources such as directory of specialists, glossary of terms, and sample policy are also available.

In addition to security researchers, users too can report security bugs to manufacturers and are referred to as reporters. Consumer IoT manufacturers (which are called members) have the option to manage reports and get in touch with the reporter, as well as to coordinate public disclosure.

“Timely identification of, and responses to, security issues creates a safer and more resilient product for your company and, more importantly, your customers. Not responding to vulnerability reports or not having a vulnerability reporting mechanism may result in vulnerability disclosure via the press, regulators, or other outlets which can cause serious reputational as well as financial harm to your business and result in legal action,” IoTSF notes.

Vulnerable Things, the Foundation underlines, is not a vulnerability bug bounty program, nor a triage service, and does not offer coordination of disclosure between third parties either. For the time being, the platform only accepts reports for the IoT manufacturers that have already subscribed to its service.

Specifically built to help consumer IoT manufacturers in their endeavor to improve the security of their products and services, the platform also helps vendors comply with coordinated vulnerability requirements and best practices.

Advertisement. Scroll to continue reading.

“We think vulnerability disclosure should be an easy and straightforward process. We also believe that sharing information is key to improving the security of consumer IoT devices. By creating a user-friendly service for consumer IoT manufacturers and reporters to communicate, we hope that more vulnerabilities can be reported, fixed, and responsibly disclosed to the public,” IoTSF says.

All manufacturers of consumer IoT products and/or services are welcome to subscribe to the service to receive access to vulnerability tracking and communication tools and to other available resources, including a vulnerability disclosure case study and sample vulnerability disclosure policy.

“Vulnerability management is such a fundamental element to IoT cyber-hygiene that it is no surprise that governments and regulators around the world are making this a mandatory requirement. We […] see the need to drive this vital security practice and aim to help make it as simple as possible with the launch of the Vulnerable Things platform – especially for the uninitiated and firms who may lack resources. The service brokers good communications between researchers and vendors and guides both through the process until complete,” said John Moor, Managing Director of the IoT Security Foundation.

Access to the platform is free until January 31, 2021, IoTSF announced. The service is being tested for a trial period, to observe demand and gain feedback from users.

Related: UK’s NCSC Publishes Guide to Implementing a Vulnerability Disclosure Process

Related: Facebook Announces Vulnerability Reporting and Disclosure Policy

Related: Google Project Zero Updates Vulnerability Disclosure Policy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.