IoT Security Foundation Launches Vulnerability Disclosure Platform

Written by

A platform to allow IoT vendors to simplify the reporting and management of vulnerabilities has been launched by the Internet of Things Security Foundation (IoTSF).

With the ETSI EN 303 645 specification requiring IoT vendors to publish a clear and transparent vulnerability disclosure policy, establish an internal vulnerability management procedure, make contact information for vulnerability reporting publicly available and continually monitor for and identify security vulnerabilities within their products, the IoTSF has launched in order to help IoT vendors comply with legislation.

Designed to help IoT vendors receive, assess, manage and mitigate vulnerability reports, aims to provide a vulnerability management tool to help IoT manufacturers prepare for emerging regulations and to maintain compliance. Access to is available free until January 31 2021 and manufacturers that subscribe will have access to a dashboard that will guide them through the vulnerability resolution process and facilitate communication with the reporter.

Where a vulnerability is reported in a product from a vendor that hasn’t registered with the service, an alert will be sent to a public email address of the manufacturer who will then have the opportunity to securely access the details of the vulnerability report.

Vulnerabilities can be reported by any individual anonymously, or by registering, they are provided with a dashboard which allows them to monitor the progress towards resolving vulnerabilities they have reported to different manufacturers. The IoTSF said the intention is to promote dialogue between vendors and security researchers as without mechanisms to report, manage and resolve vulnerabilities, the security of consumer IoT products diminishes over time and the risk of attack or abuse increases.

John Moor, managing director of the IoT Security Foundation, said: “Vulnerability management is such a fundamental element to IoT cyber-hygiene that it is no surprise that governments and regulators around the world are making this a mandatory requirement.

“We therefore see the need to drive this vital security practice and aim to help make it as simple as possible with the launch of the Vulnerable Things platform – especially for the uninitiated and firms who may lack resources. The service brokers good communications between researchers and vendors and guides both through the process until complete.”

Matt Warman, the UK Government’s digital infrastructure minister, said: “I welcome this new initiative to help industry improve the security of internet of things devices and boost our burgeoning digital economy while protecting people online. We want everyone to have confidence that the internet-connected products they are buying have stronger security and we are working on legislation in this field to help make this a reality.”

What’s hot on Infosecurity Magazine?