Vulnerability Disclosure Policy
Version 1.0, Effective from 06 October 2020. (View previous versions).
Vulnerable Things is dedicated to improving the security of Internet-connected products (Things) for the benefit of all, through encouraging the reporting of vulnerabilities, notifying providers of Things (Providers) of any reported vulnerabilities and, where appropriate, disclosing information on our website to help organisations and individuals to reduce the risks to them, their Things and their property.
Who does this policy apply to?
This policy applies to anyone who identifies any weakness of software, hardware, or online service that can be exploited in relation to Things (Vulnerability).
Vulnerable Things welcomes reports from ethical hackers, security researchers, users of Things and members of the public. However, if you are employed or engaged by any of our Industry Members, you should comply with any internal reporting policies.
What is the purpose of this policy?
The purpose of this policy is to ensure that any Vulnerability is reported in a responsible manner and to explain the process we will follow once a Vulnerability has been reported.
What types of Vulnerability should be reported?
Examples of the types of Vulnerability that could be reported to us include:
- Weak passwords providing access to firmware or client software
- Unsecured network services which compromise the confidentiality, integrity, or availability of data
- Unsecured interfaces between Things and other applications or networks, including weak encryption or a lack of authentication
- Poor security update mechanisms, including unencrypted downloads, poor firmware validation, inability to rollback to previous versions and lack of notifications of updates
- Outdated software components or dependencies
- Storage of personal data on the Thing itself or the Thing’s network, which can easily be compromised
- Default settings which are insecure and prevent owners of Things from configuring them
How should a Vulnerability be reported?
If you have identified a Vulnerability, you should report the Vulnerability through our Vulnerability Reporting page.
What should a report contain?
Your report should contain as much information as possible, including at least the following information:
- Name of the Provider
- Name of product or service and affected version(s)
- URL of the Thing, network or service
- Software type and version used for testing (e.g. operating system and browser etc.)
- Description of the Vulnerability
- Possible root cause
- Proof of concept code or other substantial evidence
- Details of how to reproduce or expose the Vulnerability
- Assessment as to how other products, services or networks may be affected
What are the rules on reporting a Vulnerability?
You must act towards Vulnerable Things and our users in good faith, which means that you must not act maliciously and only make reports with the intention of helping to improve the security of Things for the benefit of all.
You should not:
- Communicate the Vulnerability to any other person (including on any public or private forums) before giving the relevant Industry Member the opportunity to review and verify your report and respond to you with a view to coordinating disclosure of the Vulnerability either through our website or by any other means (unless the Vulnerability is directly relevant to any other person, for example, the developer of a related software library).
- Access more resources than are necessary to demonstrate the existence of a Vulnerability.
- Copy, modify or extract any data associated with the Industry Member’s Things, systems or services.
- Use high-intensity, invasive or destructive scanning tools to find vulnerabilities.
- Attempt or make any report to Vulnerable Things in respect of any form of denial of service, e.g. overwhelming a service with a high volume of requests.
- Disrupt the Organisation’s services or systems.
- Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
- Social engineer, ‘phish’ or physically attack the Organisation’s staff or infrastructure.
- Demand financial compensation in order to disclose any vulnerabilities.
- Break the law.
After you have reported a Vulnerability, any records extracted by you should be deleted as soon as possible.
What are the consequences of reporting a Vulnerability?
You are solely responsible for your own compliance with law. Complying with this policy is not intended to provide you with any protection if you breach the law, nor does this policy give you permission to act in any manner that is inconsistent with the law as it applies to you or the Organisation.
However, if legal action is initiated by a third party against you and you have complied with this policy, we can take steps to make it known that your actions were conducted in compliance with this policy.
What will happen after a report has been submitted?
After you have submitted a report:
- We will automatically acknowledge your report by email to any email address provided.
- We will forward your report to the relevant Industry Member within 24 hours. The Industry Member may ask you to provide further details of the vulnerability you have reported.
- You will be able to track your report through your account (unless you choose to report anonymously). If you report as a Guest Reporter you will only be able to track your most recent report.
- Industry Members will assess the priority for remediation by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days to allow the relevant Industry Member’s teams to focus on the remediation.
- We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
- Once a Vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.
What happens if an Industry Member ignores a report?
We reserve the right to terminate any Industry Member’s account if they fail to respond to or fail to act in relation to any report or verified Vulnerability within the timescales outlined above. We will not terminate an Industry Member’s account where they do not respond to any groundless or repetitive reports.
Will there be any bounty or other reward for reporting a Vulnerability?
Vulnerable Things does not offer any bounty or other rewards and, when you submit a report through our website and accept the relevant terms and conditions, you acknowledge that neither we nor any of our Industry Members are obliged to do so.
Where any Industry Member agrees to pay a bounty or other reward, this will be entirely at their discretion and subject to any terms and conditions imposed by them.
Will you be credited for identifying a Vulnerability?
All reports will be treated as confidential.
Neither Vulnerable Things nor our Industry Members will credit you with identifying any Vulnerability without your consent.
In order to be credited for identifying a Vulnerability you must comply with this policy, in particular, the obligation not to communicate the Vulnerability to any other person before attempting to make a coordinated disclosure of the Vulnerability with the relevant Industry Member.
We do not credit any of our staff, consultants or contractors, for any Vulnerabilities reported to us by them.
Can you provide feedback on the disclosure process?
Yes. We welcome any feedback on this policy and your experience of reporting Vulnerabilities through our platform. All feedback will be treated as confidential.