Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

IoT Security Foundation Launches Vulnerability Reporting Platform

The Internet of Things Security Foundation (IoTSF), an effort aimed at improving the security of IoT, has launched an online platform designed to make the reporting of vulnerabilities in IoT devices easier.

The Internet of Things Security Foundation (IoTSF), an effort aimed at improving the security of IoT, has launched an online platform designed to make the reporting of vulnerabilities in IoT devices easier.

Launched alongside a new report into coordinated vulnerability disclosure, the Consumer Internet of Things Vulnerability Disclosure Platform (VulnerableThings.com) is catered to both security researchers and manufacturers, seeking to ensure coordinated vulnerability disclosure management and reporting.

The platform provides automated communications and vulnerability management, and helps organizations get the support they need throughout the entire vulnerability reporting and response process. Resources such as directory of specialists, glossary of terms, and sample policy are also available.

In addition to security researchers, users too can report security bugs to manufacturers and are referred to as reporters. Consumer IoT manufacturers (which are called members) have the option to manage reports and get in touch with the reporter, as well as to coordinate public disclosure.

“Timely identification of, and responses to, security issues creates a safer and more resilient product for your company and, more importantly, your customers. Not responding to vulnerability reports or not having a vulnerability reporting mechanism may result in vulnerability disclosure via the press, regulators, or other outlets which can cause serious reputational as well as financial harm to your business and result in legal action,” IoTSF notes.

Vulnerable Things, the Foundation underlines, is not a vulnerability bug bounty program, nor a triage service, and does not offer coordination of disclosure between third parties either. For the time being, the platform only accepts reports for the IoT manufacturers that have already subscribed to its service.

Specifically built to help consumer IoT manufacturers in their endeavor to improve the security of their products and services, the platform also helps vendors comply with coordinated vulnerability requirements and best practices.

“We think vulnerability disclosure should be an easy and straightforward process. We also believe that sharing information is key to improving the security of consumer IoT devices. By creating a user-friendly service for consumer IoT manufacturers and reporters to communicate, we hope that more vulnerabilities can be reported, fixed, and responsibly disclosed to the public,” IoTSF says.

Advertisement. Scroll to continue reading.

All manufacturers of consumer IoT products and/or services are welcome to subscribe to the service to receive access to vulnerability tracking and communication tools and to other available resources, including a vulnerability disclosure case study and sample vulnerability disclosure policy.

“Vulnerability management is such a fundamental element to IoT cyber-hygiene that it is no surprise that governments and regulators around the world are making this a mandatory requirement. We [
] see the need to drive this vital security practice and aim to help make it as simple as possible with the launch of the Vulnerable Things platform – especially for the uninitiated and firms who may lack resources. The service brokers good communications between researchers and vendors and guides both through the process until complete,” said John Moor, Managing Director of the IoT Security Foundation.

Access to the VulnerableThings.com platform is free until January 31, 2021, IoTSF announced. The service is being tested for a trial period, to observe demand and gain feedback from users.

Related: UK’s NCSC Publishes Guide to Implementing a Vulnerability Disclosure Process

Related: Facebook Announces Vulnerability Reporting and Disclosure Policy

Related: Google Project Zero Updates Vulnerability Disclosure Policy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...