The Internet of Things Security Foundation (IoTSF), an effort aimed at improving the security of IoT, has launched an online platform designed to make the reporting of vulnerabilities in IoT devices easier.
Launched alongside a new report into coordinated vulnerability disclosure, the Consumer Internet of Things Vulnerability Disclosure Platform (VulnerableThings.com) is catered to both security researchers and manufacturers, seeking to ensure coordinated vulnerability disclosure management and reporting.
The platform provides automated communications and vulnerability management, and helps organizations get the support they need throughout the entire vulnerability reporting and response process. Resources such as directory of specialists, glossary of terms, and sample policy are also available.
In addition to security researchers, users too can report security bugs to manufacturers and are referred to as reporters. Consumer IoT manufacturers (which are called members) have the option to manage reports and get in touch with the reporter, as well as to coordinate public disclosure.
“Timely identification of, and responses to, security issues creates a safer and more resilient product for your company and, more importantly, your customers. Not responding to vulnerability reports or not having a vulnerability reporting mechanism may result in vulnerability disclosure via the press, regulators, or other outlets which can cause serious reputational as well as financial harm to your business and result in legal action,” IoTSF notes.
Vulnerable Things, the Foundation underlines, is not a vulnerability bug bounty program, nor a triage service, and does not offer coordination of disclosure between third parties either. For the time being, the platform only accepts reports for the IoT manufacturers that have already subscribed to its service.
Specifically built to help consumer IoT manufacturers in their endeavor to improve the security of their products and services, the platform also helps vendors comply with coordinated vulnerability requirements and best practices.
“We think vulnerability disclosure should be an easy and straightforward process. We also believe that sharing information is key to improving the security of consumer IoT devices. By creating a user-friendly service for consumer IoT manufacturers and reporters to communicate, we hope that more vulnerabilities can be reported, fixed, and responsibly disclosed to the public,” IoTSF says.
All manufacturers of consumer IoT products and/or services are welcome to subscribe to the service to receive access to vulnerability tracking and communication tools and to other available resources, including a vulnerability disclosure case study and sample vulnerability disclosure policy.
“Vulnerability management is such a fundamental element to IoT cyber-hygiene that it is no surprise that governments and regulators around the world are making this a mandatory requirement. We […] see the need to drive this vital security practice and aim to help make it as simple as possible with the launch of the Vulnerable Things platform – especially for the uninitiated and firms who may lack resources. The service brokers good communications between researchers and vendors and guides both through the process until complete,” said John Moor, Managing Director of the IoT Security Foundation.
Access to the VulnerableThings.com platform is free until January 31, 2021, IoTSF announced. The service is being tested for a trial period, to observe demand and gain feedback from users.
Related: UK’s NCSC Publishes Guide to Implementing a Vulnerability Disclosure Process
Related: Facebook Announces Vulnerability Reporting and Disclosure Policy
Related: Google Project Zero Updates Vulnerability Disclosure Policy