- Information for Consumer IoT Manufacturers
- Information for vulnerability reporters
- Data and privacy
What is VulnerableThings.com?
What is VulnerableThings.com? Everyone is best served when IoT cybersecurity vulnerabilities are reported directly to manufacturers who can fix them and coordinate public vulnerability disclosure. Timely identification of, and responses to, security issues creates a safer and more resilient product for your company and, more importantly, your customers. Not responding to vulnerability reports or not having a vulnerability reporting mechanism may result in vulnerability disclosure via the press, regulators, or other outlets which can cause serious reputational as well as financial harm to your business and result in legal action. Vulnerable Things helps consumer IoT manufacturers reduce these risks and adopt coordinated vulnerability disclosure best practices. Vulnerable Things is a user-friendly coordinated vulnerability disclosure management and reporting service for security researchers and consumer Internet of Things (IoT) manufacturers (including developers, IoT solution and service providers). Vulnerable Things’ automated communications, vulnerability management tool and member resources provide support to companies before, during and after a vulnerability is reported. Security researchers and users (reporters) can report vulnerabilities to IoT manufacturers through the reporting service. A reporter is anyone who reports a vulnerability on Vulnerable Things – this does not refer to members of the press or journalists. Consumer IoT manufacturers (referred to as members) can manage reports, communicate with the reporter and coordinate public disclosure of vulnerabilities. The service offers members additional resources (such as a sample policy, glossary of terms, and directory of specialists). Together these tools help members:
- Comply with consumer IoT standards (e.g. ETSI EN 303 645) and regulation; and,
- Navigate the sometimes tricky environment of coordinated vulnerability disclosure.
Submitting vulnerability reports is free and open to anyone, but IoT manufacturers must subscribe to access to our vulnerability management service and members-only resources.
You can find more information on our About page.
Vulnerable Things was created by the IoT Security Foundation in partnership with its members and Oxford Information Labs. It was built using a security by design approach, is based on the ISO/IEC 29147 standard, and takes into consideration requirements set out in the first globally applicable consumer IoT security standard – ETSI EN 303 645.
Importantly, there are a few things Vulnerable Things is not. It is not a vulnerability bug bounty program or triage service. We also do not coordinate disclosures between third parties (e.g. across supply chains or multiple manufacturers).
At this time we can only accept reports for IoT manufacturers who have subscribed to our service.
Why is vulnerability disclosure important?
Your company and your customers are best served when vulnerabilities are reported directly to you and are not made public until you have had an opportunity to develop, test, and deploy a patch to mitigate the underlying vulnerability. Vulnerability disclosure is a cornerstone in IoT security and is increasingly noted by governments and international standards as a key requirement for companies offering consumer IoT products. In fact, failing to have a vulnerability management mechanism is in breach of some national regulation and may prevent your product from being compliant with the first global consumer IoT security standard (ETSI EN 303 645).
Vulnerable Things helps subscribers comply with standards and regulation by:
- Providing a sample vulnerability disclosure policy; facilitating communication between consumer IoT manufacturers and vulnerability reporters with its in-platform messaging service;
- preparing manufacturers for vulnerability disclosure with information and resources; guiding manufacturers through the process of vulnerability management using its management tool; and
- enabling coordinated vulnerability disclosure through its public announcement board.
Timely identification and response to security issues creates a safer and more resilient product for your company and, more importantly, your customers. Not responding to vulnerability reports or not having a vulnerability reporting mechanism may result in vulnerability disclosure via the press or regulators, which can cause serious reputational as well as financial harm to your business and result in legal action.
What does Vulnerable Things do?
Vulnerable Things is a platform for consumer IoT manufacturers and reporters to coordinate vulnerability disclosure. It is a one-stop shop for vulnerability reporting, management, and coordinated disclosure.
Vulnerable Things is not a bug bounty program. However, manufacturers may offer their own bounty programs so it is worth checking with them. We also offer IoT manufacturers who subscribe to our service access to a directory of specialists who may be able to help with related issues, such as triage or penetration testing.
What makes Vulnerable Things different from other vulnerability disclosure services?
Vulnerable Things was developed specifically to support consumer IoT manufacturers in order to help improve the security of IoT products and services and thereby protect consumers. It is also intended to help comply with coordinated vulnerability requirements set out in standards (e.g. ETSI EN 303 645) and regulation.
We think vulnerability disclosure should be an easy and straightforward process. We also believe that sharing information is key to improving the security of consumer IoT devices.
By creating a user-friendly service for consumer IoT manufacturers and reporters to communicate, we hope that more vulnerabilities can be reported, fixed, and responsibly disclosed to the public.
Information for Consumer IoT Manufacturers
Who can be a member?
Any company providing consumer IoT products and/or services can subscribe to the Vulnerable Things service. Members get full access to our coordinated vulnerability management and disclosure service. This includes vulnerability tracking and communication tools as well as a variety of resources only available to our members and developed specifically with consumer IoT manufacturers in mind (e.g. glossary of terms and directory of specialists).
What are the benefits for joining the Vulnerable Things platform?
By using Vulnerable Things, members can show they are adopting IoT security best practices, some of which are set out in regulation and international standards. Our service does this by adopting and supporting industry best practices in responsible vulnerability disclosure, and compliance with existing standards (e.g. ETSI EN 303 645), regulation (e.g. forthcoming UK regulation), and Codes of Practice, such as the Australian Draft Code of Practice: Securing the Internet of Things for Consumers.
In addition, Vulnerable Things offers members resources to help IoT manufacturers navigate the tricky landscape of vulnerability disclosure.
Bespoke resources developed by the IoT Security Foundatio’s industry experts include:
- sample vulnerability disclosure policy;
- glossary of vulnerability disclosure terminology;
- a vulnerability disclosure case study; and
- a resource directory of specialists if you need more help.
- Is a one-stop shop for vulnerability disclosure – reporting, management, and coordinated disclosure;
- aids effective communication between reporters and manufacturers;
- helps to set expectations and promote positive communication and coordination with the researcher who reported the vulnerability;
- reduces the cost and possibility of conflict when working with reporters;
- leads to the improved security of IoT products and services and safety of customers;
- helps avoid bad publicity which is likely to damage the brand and sales; and
- helps smaller manufacturers follow best practices and meet requirements set out in standards or regulation with ease.
How do I become a member and what are the fees?
You can become a member by registering here. Once registered, your company will have an account to manage coordinated vulnerability disclosure and access to Vulnerable Things resources.
What are the existing consumer IoT security standards and regulations?
A number of international standards organisations and governments are working to improve consumer IoT security.
The European Telecommunications Standards Institute (ETSI) is releasing the first globally applicable consumer IoT cybersecurity standard, ETSI EN 303 645, which requires vulnerability disclosure management. Countries like the UK are currently putting similar requirements into regulation. Australian and UK governments have also set out expectations in Codes of Practice for consumer IoT security.
The IoT Security Foundation offers free guides for those wanting more information about standards, regulation, and best practices for compliance.
Why is Vulnerable Things only focused on consumer IoT providers?
Consumer IoT is growing, and so are the number of IoT manufacturers and users. With the fast pace of innovation and rush to market for IoT products, security patches are often needed during the device lifetime. Additionally, consumers should not be responsible for understanding or implementing IoT security best practices.
Our aim is to make coordinated vulnerability disclosure easy and accessible to consumer IoT manufacturers and reporters to facilitate adoption of best practices and increase the baseline security of consumer IoT products.
Information for vulnerability reporters
Who can report a vulnerability and do I need to register?
Anyone can report a vulnerability! You have the option of becoming a registered reporter for free. Registered reporters get additional benefits, like being able to track multiple or resolved (past) reports in one account, but registration is not required to submit a vulnerability report.
How do I register?
A registered reporter is anyone who has a Vulnerable Things account that logs and tracks the progress of all their reported vulnerabilities (past and present). You can register here.
Can I report a vulnerability for any IoT manufacturer?
Yes, the Vulnerable Things platform will accept reports on any IoT vulnerability. If the relevant manufacturer or distributor is not already a member of the Vulnerable Things service, we will attempt to pass on your report using publicly available information, so that the manufacturer or distributor can engage with the coordinated vulnerability disclosure process. We cannot guarantee that our efforts will be successful, or that the relevant manufacturer or distributor will engage in the coordinated vulnerability disclosure.
Data and privacy
What data do you collect?
What do you do with my data?
VulnerableThings.com adopts best practise security to protect your data and the integrity of our systems and services. The system is exposed to rigourous penetration testing, and all data is encrypted on servers and in transit. We ask you to follow HM Government advice in the management of your security credentials, and to adopt additional protection such as 2-Factor authentication whenever possible.
Increasingly, threats to security are happening via human interaction (social engineering), by email (fishing attacks) and new methods. We never ask you to send security credentials via email, or on the telephone, and we ask all visitors, reporters and members to report suspicious activities or anything that may pose a threat to security to yourselves or others.
I am having problems with the reporting portal, can I get help?
Didn’t answer your question yet? For additional help with the Vulnerable Things technical system, please review our Help Documentation. If you have further difficulty please review our contact information.
For help with the Vulnerable Things service, please review our Vulnerability Things service support.
In your message, please include information about the issue/your question and any error messages you received.
If you need help with other aspects of vulnerability resolution or coordination, please see our directory of specialists who may be able to help you with their expertise in IoT security.
I found a vulnerability on your website/service, how do I report it?
You can find our public vulnerability disclosure policy here.