All about Vulnerable Things, a service for Reporters of Vulnerabilities and IoT Manufacturers

What is Vulnerable Things?

Our goal is to:

  1. Help consumer IoT manufacturers manage the process of vulnerability reporting, management and coordinated vulnerability disclosure
  2. Make it easier for security researchers and users to report vulnerabilities to IoT manufacturers
  3. Improve consumer IoT security

Vulnerable Things is a user-friendly coordinated vulnerability disclosure management and reporting service for security researchers and consumer Internet of Things (IoT) manufactures (including product developers and IoT solution and service providers). It acts as a vulnerability management tool and coordinator between the reporter and the manufacturer. Any consumer IoT manufacturer can use the Vulnerable Things disclosure service. It was designed for companies that prioritise security and want an expert offering instead of creating an in-house coordinated vulnerability disclosure solution. Vulnerable Things provides members with additional resources (such as a sample policy, glossary of terms, and directory of specialists) to help members:

  • Comply with consumer IoT standards (e.g. ETSI EN 303 645) and regulation; and,
  • Navigate the sometimes tricky environment of coordinated vulnerability disclosure.

Vulnerable Things allows security researchers and users (referred to as reporters) to report identified vulnerabilities to consumer IoT manufacturers (referred to as members). A reporter is anyone who reports a vulnerability on Vulnerable Things – this does not refer to members of the press or journalists.

There is no charge for Vulnerable Things reporters to use the service – anyone can be a reporter and it is free to report a vulnerability.

Vulnerable Things helps reporters to:

  • submit vulnerability reports to members
  • engage and effectively communicate with IoT manufacturer; and
  • track the progress and resolution of the vulnerability.

Vulnerable Things helps IoT manufacturers to:

  • comply with consumer IoT security standards (e.g. ETSI EN 303 645) and regulations
  • adopt coordinated vulnerability disclosure and management best practices
  • facilitate productive communications with vulnerability reporters
The Vulnerability Disclosure process

Why Coordinated Vulnerability Disclosure (CVD) is important

The public is best served when IoT cybersecurity vulnerabilities are reported directly to manufacturers that can fix them, and when public disclosures are delayed until the manufacturer has had an opportunity to develop, test, and deploy a patch to mitigate the underlying vulnerability.

CVD programs allow manufacturers to respond to vulnerability reports in a manner that minimizes the risk of malicious actors leveraging unpatched vulnerabilities to hack into systems or devices. Fixing a vulnerability in a timely manner reduces risks to users, devices, networks and the IoT manufacturer.

Not responding to vulnerability reports increases these risks and makes it more difficult to identify and fix vulnerabilities. Delays may result in vulnerability disclosure via the press, regulators or other outlets, which can cause serious reputational as well as financial harm to your business and result in legal action.

Cooperation between researchers and manufacturers will lead to improved security of products and services which, in turn, will help protect consumers from malicious actors and criminals. Coordinated vulnerability disclosure is intended to reduce clashes between researchers and manufacturers. Some of these clashes have resulted in legal action against bug hunters, creating unnecessary conflict and costs whilst diverting resources from improving the security of products and services. Cooperation helps to reduce unnecessary conflict and costs which take away focus and resources from the objective of improving the security of products and services.

Vulnerable Things helps to facilitate this cooperation.

Benefits of using Vulnerable Things

Vulnerable Things’ communications and vulnerability management tools and member resources provide support to IoT manufacturers before, during and after a vulnerability is reported.

Vulnerable Things provides an automated service that:

  • is a one-stop shop for coordinated vulnerability disclosure – reporting, management, and coordinated disclosure.
  • aids effective communication between reporters and manufacturer.

Additional benefits for consumer IoT manufacturers:

  • is a one-stop shop for coordinated vulnerability disclosure, reporting, and management; and
  • aids effective communication between reporters and manufacturers. Additionally, Vulnerable Things offers the following benefits for consumer IoT manufacturers:
  • Provides an easy-to-use vulnerability management tool to help guide parties through the vulnerability disclosure process;
  • Supports coordinated vulnerability disclosure using it’s disclosure feed;
  • Provides a variety of supporting resources developed specifically for the platform and only available to Vulnerable Things members;
  • Helps to set expectations and promote positive communication and coordination with reporters;
  • Reduces the potential for conflict when working with researchers;
  • Leads to the improved security of IoT products and services and safety of customers; and
  • Helps to avoid bad publicity which can damage a company’s brand. Finally, Vulnerable things offers the following additional benefits for security researchers:
  • Helps to ensure that the reported vulnerabilities are addressed;
  • makes it easier to contact manufacturers and report vulnerabilities, using a standardised format and process;
  • provides acknowledgement that their report has been received and is being investigated by the manufacturer and provides a platform to track progress through to resolution;
  • provides public recognition for the reporter’s contribution to consumer IoT security and safety;
  • allows registered reporters to access and track all previous and ongoing reports in one place;
  • reduces the possibility of conflict when working with manufacturers;
  • improves reporter standing with manufacturers and the wider community; and
  • provides public recognition of positive work done to improve consumer safety & security.

Joining and more information

The ‘Vulnerable Things’ service was created by the IoT Security Foundation in partnership with its members and Oxford Information Labs.