Nearly 60% of IoT manufacturers have no way for security researchers to contact them

In 2018, Copper Horse conducted research for the IoT Security Foundation into the state of vulnerability disclosure amongst product manufacturers across the world. Measuring IoT and embedded systems security is quite a hard thing to do. Much of the protections (or lack of) are hidden in the depths of the product. Some symptomatic evidence of insecurity can be discovered relatively easily in the product itself, such as by scanning for open ports and legacy protocols. Simple testing can be performed at the user interface level too and even via the product manual, which will very quickly demonstrate whether a product has a common, universal default password for all devices, that doesn’t immediately have to be changed. All of these things involve getting access to the device, which involves quite a high level of cost and ultimately, beyond the basics, would require some quite extensive reverse engineering to discover deeper-level issues.

There is, however one very simple method of demonstrating a company’s stance towards product security. That is its attitude and approach towards security researchers. For many years now, acceptable good practice has been to publish a Vulnerability Disclosure Policy (VDP), with international standards that lean towards Coordinated Vulnerability Disclosure (CVD) – a method which neither penalises the researcher or company receiving the vulnerability report. Both parties will work together closely to help reach a resolution, allowing the company to deploy a patch or fix, if possible, to protect its customers. At that point, the security researcher also publishes their material. Many security researchers want to demonstrate their work at security and hacking conferences – this helps them in their own careers or their university research, but most importantly allows for recognition of the often significant efforts to discover the issues in the first place. The motivation for doing this from the security reseracher is almost never financial, with some companies struggling to understand this finding it an anathema to the way they work; worrying that they’re being blackmailed, sometimes calling in the lawyers or the police!

All of this is why companies, need to understand that if they’re producing products and services are not just obligated by good practice to ensure that they engage with the security research community in a proper, standardised way, but even more so now – in some countries and regions it is the law that they must do this. In Europe, the clock is now ticking for companies to ensure they are compliant to the Cyber Resilience Act (CRA). In the UK, they’re already required to be compliant.

In the eighth year of our annual report into ‘The State of Vulnerability Disclosure Usage in Global Consumer IoT in 2025‘, we find that adoption of vulnerability disclosure policies has reached 40.53% of manufacturers, leaving 59.47% of manufacturers still without a way for security researchers to contact them. At the current rate, the trend would lead towards a theoretical 2040 date for 100% adoption. Whilst this has improved significantly from the 9.7% adoption rate we saw in 2018, the situation is still extremely poor. It tells you a lot about these companies and their approach to product security in general.

We have delayed the publication of this report until now until we had clarity on the draft standards for VDP in the CRA. We were a little disappointed when we finally got access and you can read why in the report.

Retailer stocking figures of manufacturers that are compliant with vulnerability disclosure best practice are really up now and that is great because it shows that when people are buying a product in a shop, they’re not generally exposed to shoddy equipment. However – some pure online retailers are still pushing products which are clearly questionable.

Our dataset of manufacturers from across the world has expanded from the original 332 in 2018 to 491 in 2025 giving us a richer global picture. The manufacturers that are non-compliant look more like the long-tail of the market now (looks like low quality / very cheap product) – if we were able to look at true market volume, the larger volume manufacturers of big names broadly look to be compliant if you check out the annex of the document. The conclusion is that ultimately, purchasers of connected consumer products from major retailers are demonstrably being better protected and that it is our hope that the CRA deals with that long-tail of the market; it might be messy though.

There is much more analysis in the report and our annual league table of VDP adoption with all the companies listed is contained in the annex. All of the data is available for analysis under a CC 4.0 license on our research page, including all previous years’ reports and data. Please do let us know what you use it for and if you want us to look at other areas.

Categories:IoT Security

Tags:cyber security Internet of Things IoT IoT security iot security foundation security

Copper Horse

Copper Horse specialises in tackling future security challenges across many domains and industries from AI, automotive, mobile and IoT. We provide a wide range of services including engineering solutions throughout the product lifecycle from requirements to product security investigations. We offer security training and have a huge range of consulting expertise to help in areas such as mobile telecoms and connected products security. If you have an interesting and complex security problem, we are here to help.

Share

Related Posts

Vehicle Communications and the Road to Driverless Automotive

History lessons 2: Who has access?