industry news
Subscribe Now

IoT Security Foundation launches co-ordinated vulnerability disclosure platform for IoT industry

VulnerableThings.com helps vendors prepare for IoT security regulations and assist security researchers with vulnerability reporting

19 October 2020: An online platform designed to help IoT vendors receive, assess, manage and mitigate vulnerability reports has been launched by the IoT Security Foundation (IoTSF). VulnerableThings.com aims to simplify the reporting and management of vulnerabilities whilst helping IoT vendors comply with new consumer IoT security standards and regulations. 

As the first globally applicable standard for consumer IoT cybersecurity, the new ETSI EN 303 645 specification requires IoT vendors – which could include device manufacturers or importers/distributors – to publish a clear and transparent vulnerability disclosure policy; establish an internal vulnerability management procedure; make contact information for vulnerability reporting publicly available; and continually monitor for and identify security vulnerabilities within their products. 

Images relevant to this press release can be downloaded here: https://www.dropbox.com/sh/g1hmidw3o7nal8p/AADdOlx4WM7Os0fqFfS2Jdwya?dl=0

Governments around the world including in the UK, Australia, Singapore, Finland and the American states of California and Oregon have already published codes of practice, product labelling schemes or prepared legislation aligned to the standard. Implementing a means to accept vulnerability reports is a common feature of these initiatives. Without mechanisms to report, manage and resolve vulnerabilities – such as Co-ordinated Vulnerability Disclosure (CVD) – the security of consumer IoT products diminishes over time and the risk of attack or abuse increases.

“Vulnerability management is such a fundamental element to IoT cyber-hygiene that it is no surprise that governments and regulators around the world are making this a mandatory requirement,” said John Moor, Managing Director of the IoT Security Foundation.

“As a world leading expert authority on IoT security, IoTSF has published vulnerability disclosure best practices and industry status reports. Our conclusions are that industry must do more to protect their customers and their own businesses. We therefore see the need to drive this vital security practice and aim to help make it as simple as possible with the launch of the Vulnerable Things platform – especially for the uninitiated and firms who may lack resources. The service brokers good communications between researchers and vendors and guides both through the process until complete.”

“We are piloting the service to test the likely demand and gain feedback for users.”

Vulnerabilities can put user safety and personal data at risk and could place an IoT vendor in breach of data protection regulations. Failure by a vendor to respond to a reported vulnerability, whether from a consumer or a specialist security researcher, could result in uncontrolled public disclosure of the vulnerability which would increase the risk of attacks by bad actors. Fixing a vulnerability promptly reduces risks to users, devices, networks and IoT manufacturers.

Matt Warman, the UK Government’s Digital Infrastructure Minister said: “I welcome this new initiative to help industry improve the security of internet of things devices and boost our burgeoning digital economy while protecting people online. We want everyone to have confidence that the internet-connected products they are buying have stronger security and are working on legislation in this field to help make this a reality.”

VulnerableThings.com aims to provide an off-the-shelf, user-friendly vulnerability management tool and other valuable member resources including policy templates, issue resolution guidelines and a directory of specialist advisors to help IoT manufacturers prepare for emerging regulations and to maintain compliance. CVD must become an essential part of the culture of successful IoT vendors and needs to be understood and supported by a business’s board of directors, compliance officer, product managers, product development managers, product security, supply chain managers and public relations teams. 

Manufacturers that subscribe to VulnerableThings will have access to a dashboard that will guide them through the vulnerability resolution process and facilitate communication with the reporter. Where a vulnerability is reported in a product from a vendor that hasn’t registered with the service, an alert will be sent to a public email address of the manufacturer who will then have the opportunity to securely access the details of the vulnerability report by coming to VulnerableThings. 

Access to VulnerableThings.com is available free until 31 January 2021. Subscribing to the service also provides access to professional support for co-ordinated disclosure announcements.

While vulnerabilities can be reported by any individual anonymously, by registering with VulnerableThings.com, security researchers are provided with a dashboard that allows them to monitor the progress towards resolving vulnerabilities they have reported to different manufacturers. Promoting dialogue between vendors and security researchers will contribute to the success of the IoT ecosystem.

About the Internet of Things Security Foundation (IoTSF)

IoTSF is a non-profit corporate and professional membership association.

The mission of IoTSF is to help secure the Internet of Things, in order to aid its adoption and maximize its benefits. To do this IoTSF will promote knowledge and clear best practice in appropriate security to those who specify, make and use IoT products and systems.

IoTSF promotes the security values of a security-first approach, fitness for purpose and resilience through operating life. The security values are targeted at key stages of the IoT eco-system – those that build, buy and use products and services: Build Secure. Buy Secure. Be Secure.

IoTSF was formed as a response to existing and emerging threats in the Internet of Things applications.

IoTSF is an international, collaborative and vendor-neutral members’ initiative, driven by the IoT eco-system and inclusive of all parties including technology providers and service beneficiaries.

For more information, news and further announcements, please visit the official website at www.iotsecurityfoundation.org

One thought on “IoT Security Foundation launches co-ordinated vulnerability disclosure platform for IoT industry”

Leave a Reply

featured blogs
Nov 24, 2020
The ICADVM20.1 and IC6.1.8 ISR15 production releases are now available for download at Cadence Downloads . For information on supported platforms and other release compatibility information, see the... [[ Click on the title to access the full blog on the Cadence Community si...
Nov 23, 2020
It'€™s been a long time since I performed Karnaugh map minimizations by hand. As a result, on my first pass, I missed a couple of obvious optimizations....
Nov 23, 2020
Readers of the Samtec blog know we are always talking about next-gen speed. Current channels rates are running at 56 Gbps PAM4. However, system designers are starting to look at 112 Gbps PAM4 data rates. Intuition would say that bleeding edge data rates like 112 Gbps PAM4 onl...
Nov 20, 2020
[From the last episode: We looked at neuromorphic machine learning, which is intended to act more like the brain does.] Our last topic to cover on learning (ML) is about training. We talked about supervised learning, which means we'€™re training a model based on a bunch of ...

featured video

Available DesignWare MIPI D-PHY IP for 22-nm Process

Sponsored by Synopsys

This video describes the advantages of Synopsys' MIPI D-PHY IP for 22-nm process, available in RX, TX, bidirectional mode, 2 and 4 lanes, operating at 10 Gbps. The IP is ideal for IoT, automotive, and AI Edge applications.

Click here for more information about DesignWare MIPI IP Solutions

featured paper

Overcoming PPA and Productivity Challenges of New Age ICs with Mixed Placement Innovation

Sponsored by Cadence Design Systems

With the increase in the number of on-chip storage elements, it has become extremely time consuming to come up with an optimized floorplan using manual methods, directly impacting tapeout schedules and power, performance, and area (PPA). In this white paper, learn how a breakthrough technology addresses design productivity along with design quality improvements for macro-dominated designs. Download white paper.

Click here to download the whitepaper

Featured Chalk Talk

Bluetooth Overview

Sponsored by Mouser Electronics and Silicon Labs

Bluetooth has come a long way in recent years, and adding the latest Bluetooth features to your next design is easier than ever. It’s time to ditch the cables and go wireless. In this episode of Chalk Talk, Amelia Dalton chats with Mark Beecham of Silicon labs about the latest Bluetooth capabilities including lower power, higher bandwidth, mesh, and more, as well as solutions that will make adding Bluetooth to your next design a snap.

Click here for more information about Silicon Labs EFR32BG Blue Gecko Wireless SoCs