Our goal is to:
Vulnerable Things is a user-friendly coordinated vulnerability disclosure management and reporting service for security researchers and consumer Internet of Things (IoT) manufactures (including product developers and IoT solution and service providers). It acts as a vulnerability management tool and coordinator between the reporter and the manufacturer. Any consumer IoT manufacturer can use the Vulnerable Things disclosure service. It was designed for companies that prioritise security and want an expert offering instead of creating an in-house coordinated vulnerability disclosure solution. Vulnerable Things provides members with additional resources (such as a sample policy, glossary of terms, and directory of specialists) to help members:
Vulnerable Things allows security researchers and users (referred to as reporters) to report identified vulnerabilities to consumer IoT manufacturers (referred to as members). A reporter is anyone who reports a vulnerability on Vulnerable Things – this does not refer to members of the press or journalists.
There is no charge for Vulnerable Things reporters to use the service – anyone can be a reporter and it is free to report a vulnerability.
Vulnerable Things helps reporters to:
Vulnerable Things helps IoT manufacturers to:
The public is best served when IoT cybersecurity vulnerabilities are reported directly to manufacturers that can fix them, and when public disclosures are delayed until the manufacturer has had an opportunity to develop, test, and deploy a patch to mitigate the underlying vulnerability.
CVD programs allow manufacturers to respond to vulnerability reports in a manner that minimizes the risk of malicious actors leveraging unpatched vulnerabilities to hack into systems or devices. Fixing a vulnerability in a timely manner reduces risks to users, devices, networks and the IoT manufacturer.
Not responding to vulnerability reports increases these risks and makes it more difficult to identify and fix vulnerabilities. Delays may result in vulnerability disclosure via the press, regulators or other outlets, which can cause serious reputational as well as financial harm to your business and result in legal action.
Cooperation between researchers and manufacturers will lead to improved security of products and services which, in turn, will help protect consumers from malicious actors and criminals. Coordinated vulnerability disclosure is intended to reduce clashes between researchers and manufacturers. Some of these clashes have resulted in legal action against bug hunters, creating unnecessary conflict and costs whilst diverting resources from improving the security of products and services. Cooperation helps to reduce unnecessary conflict and costs which take away focus and resources from the objective of improving the security of products and services.
Vulnerable Things helps to facilitate this cooperation.
Vulnerable Things’ communications and vulnerability management tools and member resources provide support to IoT manufacturers before, during and after a vulnerability is reported.
Vulnerable Things provides an automated service that:
Additional benefits for consumer IoT manufacturers: