Getting started Thank you for subscribing to Vulnerable Things. The information here will help with set-up and walk you through the service so that you are prepared to receive and manage vulnerability reports. This includes:
- Public information for your website;
- an overview of the Vulnerable Things management process;
- an overview of Vulnerable Things’ coordinated vulnerability disclosure service; and
- where to go for more information about vulnerability disclosure.
Additional help and resources about the service are available on the Help and Documentation page.
Step 1: Public information for your website
Make sure your vulnerability disclosure policy is clearly visible and publicly available on your webpage. Please follow these steps:
- Ensure you have a publicly available vulnerability disclosure policy that sets out directions and expectations of all parties.
- There are a number of publicly available sample policies linked in our public resources. Vulnerable Things also provides a sample policy for members found here.
- This information should also be posted as a security.txt file.
- Include the Vulnerable Things logo with a hyperlink and following language on your website and in your policy so that people know where and how to submit a vulnerability report.
- Please submit all vulnerability reports via the Vulnerable Things reporting service here: . The vulnerability reporting service is free and provided by the Internet of Things Security Foundation and supports coordinated vulnerability disclosure.
- It is good practice to have a webpage like www.IoTcompany.com/security that is a dedicated location for this type of information.
- Review the IoTSF Quick Guide “Manage Vulnerability Reports” for more information on preparing for and managing vulnerability disclosures.
Step 2: Preparing for communications
Vulnerable Things facilitates communications via email – these include messages regarding report notifications, coordination with reporters, and your account. Please follow these steps:
- We suggest that Vulnerable Things (email address) is placed on an “approved senders” list so that essential emails are not set to junk mail or blocked by your organisation’s email filters.
- Designate a person or group responsible for regularly checking your email for notices from Vulnerable Things. Notices include new submitted reports and messages from reporters. Regular and timely communications are a key aspect of coordinated vulnerability disclosure and reports should not go unaddressed. N.B. You can also log into your Vulnerable Things account to check for new reports or communications.
Step 3: We received a vulnerability disclosure – what next?
Below is a brief overview of Vulnerable Things’ recommended report management process and examples of steps to take in each response stage. Following a process like this will help you respond to vulnerability reports in a timely and coordinated way. The basics: Receiving reports
- You will be sent an email notification once a vulnerability report for your company is submitted to the system.
- At this point, log into the dashboard to review and manage the report.
Communications with the reporter
- A central part of coordinated vulnerability disclosure promoted by Vulnerable Things is regular communication between the reporter and the company until the vulnerability is resolved.
- Start, and continue, constructive communications with the reporter from the outset using Vulnerable Things’ messaging service.
- Some reports will be submitted anonymously and will not support communications. In these cases, do not disregard the report. Treat the report as you would any other but know that you will not be able to coordinate with the reporter.
Managing a vulnerability
Below is an overview of the six Vulnerable Things management stages, recommended order, and examples of the actions to be taken in each stage.
Stage 1: Review report
- In this stage you will have first sight of the report and start communications with the reporter.
- Log into Vulnerable Things to review new reports as soon as possible.
- Send a message to the reporter acknowledging the report and next steps. This should be done as soon as possible, but no more than 7 days.
Stage 2: Validate vulnerability
- In this stage you will verify if a reported vulnerability poses a threat or is a legitimate problem.
- Share details of the report with relevant technical teams. This may include teams within your organisation or outside teams (e.g. in your supply chain or consultants) who will help assess the report.
- To share reports, you can either print the webpage or copy/paste the information into an email or document.
- Communicate with the reporter to gather more information as needed and to confirm if the vulnerability was validated.
Stage 3: Investigation
- In this stage you will continue research and investigation of the vulnerability after it has been validated.
- Research includes preliminary work to understand the vulnerability better and identifying possible remedies.
- By this stage you should have an assessment of the severity of the vulnerability, identified if other products are affected, and if there are related reports.
- Communicate with the reporter to gather more information as needed and to confirm when the stage is complete.
Stage 4: Resolution & mitigation
- In this stage you will use your findings to identify and develop the best techniques for addressing the vulnerability.
- Remediation techniques, or fixes, should be tested to make sure they resolve the issue(s), work correctly and do not disrupt functionality.
- A short-term fix, or mitigation technique, may be implemented while you work on a more substantial or long-lasting remediation technique.
- Communicate with the reporter to share information about how you resolved the vulnerability report, such as remediation or mitigation measures, and to confirm when the stage is complete.
Stage 5: Vulnerability disclosure
- In this stage you will coordinate with the reporter to prepare a public vulnerability disclosure using Vulnerable Things’ coordinated vulnerability disclosure tool (see below for more information).
- Prior to publishing the disclosure, use the Vulnerable Things’ messaging service to coordinate with the reporter and work together to identify information to be included.
- Give credit to the reporter in the public disclosure – if they would like to be credited.
- There may be times when you feel it is best to release an advisory before the remediation or mitigation technique is available (e.g. if the vulnerability is actively being exploited or has compromised personal data). The disclosure tool may also be used in these instances.
- Communicate with the reporter to let them know when the disclosure will be published on Vulnerable Things and if you will publish it elsewhere (e.g. on your website).
Stage 6: Report resolved
- After the previous 5 stages have been successfully completed, you may mark the report as resolved.
- In the event that a vulnerability was not validated, a report may be resolved without going through the interim steps. However, you should request more information from the reporter before resolving an unvalidated report.
Step 4: Coordinated vulnerability disclosure
The coordinated vulnerability disclosure service allows you to create a public vulnerability disclosure using a standard format and publish it directly onto the Vulnerable Things disclosure feed. There are 5 steps to create a public disclosure.
Step 1: Disclosure information
- In this section you will link the public disclosure to a vulnerability report and give the disclosure a name.
- You can choose when to publish the disclosure – either immediately (published when the report is “submitted”) or by selecting a date. If you select a future date, the disclosure will be published at 9:00am UK time on that day.
Step 2: Product information
- In this step you will provide information regarding the IoT product(s) affected by the vulnerability.
Step 3: Vulnerability information
- In this step you will provide information regarding the reported vulnerability.
- Coordination with the reporter can help determine useful and relevant information to included in the public disclosure.
- The vulnerability ID can be a mix of numbers and letters but must be unique. If you are using a vulnerability repository, you can enter that ID here. Vulnerable Things also provides Mitre’s CVE list for you to use if relevant – just start entering the name and a list will auto-populate.
Step 4: Acknowledgments and other information
- It is important to acknowledge the vulnerability reporter and the effort they have made to improve the security of the IoT product(s). If the reporter would like to be publicly acknowledged, you can include their information here.
- There is also an option to email the public disclosure to other people, for example those in your organisation or relevant supply chain contacts.
Step 5: Review the disclosure
- This is the final stage where you can review the full disclosure before publicly posting it.
- If you need to make edits, there is a “Go Back” button under the “Submit” button.
- Do not use the browser back buttons as this will lose information submitted in the form.
- When you are happy with the disclosure, “Submit” the form and the disclosure will be published at the time you chose (i.e. immediately or at 9:00am UK time on the selected day).
Where to find more information on coordinated vulnerability disclosure:
- IoTSF Quick Guide “Manage Vulnerability Reports”
- Vulnerable Things member resources including:
- Other IoTSF resources like the Secure by Design Best Practice Guides
- Publicly available resources including ISO/IEC 29147 standard on vulnerability disclosure