Vulnerability Disclosure in IoT: Not Even Halfway There

Copper Horse is pleased to present its report into the State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2024.

The report is now in its 7th year and has been used by companies and governments to gauge adoption of best practices when it comes to IoT security at manufacturers. The existence of a point of contact for security researchers to disclose security vulnerabilities to manufacturers is a key indicator of adoption of product security practices and the lack of it acts as an ‘insecurity canary’ that flags that potentially all is not well in the way in which that company approaches security.

This year’s report was produced by Copper Horse on behalf of the IoT Security Foundation and kindly once again supported by HackerOne. While HackerOne supported the creation of the report, they did not have any input or review of it and Copper Horse retained full editorial control of the work. You can read the IoT Security Foundation’s John Moor’s introduction to the report here.

Please enjoy reading this year’s report; the very short summary is as follows:

• Adoption of vulnerability disclosure policies by manufacturers is better, but still only around 35.5% of the market. In the seven years we’ve been running this report, this figure has shifted upwards from less than 10% of manufacturers in our original year.
• We’d widened the dataset significantly last year and continued this – it is now at 458 companies (from our original 331). The figures last year dropped to 24% as we expanded into the ‘long tail’ of IoT products, so this year’s figure seems to be a decent correction upwards – it could possibly be the start of the hockey-stick, but we won’t really know until next year.
• Retailers in the USA are slightly better than they were in terms of stocking compliant products, but Walmart is still lagging behind with only 8 of 29 (27.59%) products stocked from manufacturers who provide vulnerability disclosure to security researchers.
• Retailers in the UK seem to be better than the rest of the world in terms of stocking compliant products, there are some potential outliers – the Smyths toys one is interesting – they don’t stock much connected stuff, but 3 of the 5 manufacturers they do stock aren’t yet compliant.
• The ‘green’ compliant manufacturers in our threshold have doubled since last year to 97 companies which is a great indicator of progress we believe – all these company names are listed out at the back of the report, along with the ones that are amber and red.
• There are a number of companies directly talking about the UK’s PSTI Act and compliance. We have catalogued these in the ‘Talking Points and Observations’ section of the report.

All of the data is openly licensed under CC BY 4.0, which can be accessed from our Resources page, meaning that researchers and organisations are free to use this information in their own work, or to validate Copper Horse’s own work. Please do let us know if you do use it, as we’re always interested in people’s projects!

Copper Horse CEO, David Rogers said “We’re committed to tracking the progress of IoT manufacturers on their journeys to better product security. Regulation across the world in the form of the UK’s PSTI Act and the EU CRA is welcome but at the end of the day, manufacturers have to implement product security themselves. Progress in adopting good practices is steady, but slow and it appears that many are still unaware of their obligations or unwilling to protect their customers.”.