• Investing
  • Stock
Round Table Thoughts
  • Economy
  • Editor’s Pick
Home Editor's Pick IoT Security Foundation Announces Fifth Report on Consumer IoT Vulnerability Disclosure Policy Status
Editor's Pick

IoT Security Foundation Announces Fifth Report on Consumer IoT Vulnerability Disclosure Policy Status

by January 23, 2023
by January 23, 2023 0 comment
Share
0
FacebookTwitterPinterestWhatsapp

Disappointing Results and the Enactment of the UK Product Security and Telecommunications Infrastructure Bill Means Firms Could Face Monetary Penalties for Non-Compliance.

The IoT Security Foundation has published its latest influential research report which monitors the security management behaviour of consumer IoT product companies.

The study reviewed the practice of 332 companies identified as selling IoT products for consumer and commercial uses such as appliances, routers, audio, smart home, lighting, mobile, tablets and laptops. This is the fifth published report in the series, plotting industry progress since 2018 with prior versions cited as evidence in global standards and regulatory processes. The desk-based research was carried out during the summer of 2022 by Copper Horse Ltd., who are experts in mobile and IoT security.

Key Findings

Vulnerability management is critical for connected product security and is widely accepted as a basic hygiene practice for vendors. It features in nearly 30 cybersecurity guidance initiatives [1], including IoTSF’s highly popular IoT Security Assurance Framework [2]. Easy reporting of security issues is therefore regarded as essential for security lifecycle maintenance.

Once again, the main finding is that vulnerability disclosure practice remains at a disappointingly low level. In 2018 we found that just 9.7% of firms in the study had a disclosure policy and in this latest report that number is just 27.1%. This is still far below the near-100% the researchers would like to see.

Whilst it is not always easy to determine the origin of products, the analysis also indicates the best-performing region to be Asia, with European suppliers trailing significantly behind (34.7% vs. 14.5% respectively).

Evolving Practice

The report was originally conceived to raise awareness of vulnerability management and the likelihood of legislation, and it has also served as an ongoing commentary on the evolution of industry practices. As part of the study the researchers identified increases in the use of the ‘/security’ contact page, the use of machine-readable ‘secuity.txt’ files and a small decline in PGP key usage for secure submissions. Two policy maintenance trends are also identified; a noticeable rise in the number of companies that are failing to keep their policies up to date and an increase in the number of companies using a third-party ‘proxy service’ to host and maintain their policies.

Regulation has arrived

As anticipated, the UK’s long-awaited Product Security and Telecoms Infrastructure (PSTI) Bill achieved Royal Assent on December 6th, 2022, meaning it is now law [3]. Within the legislation, there are responsibilities for manufacturers, importers, and distributors to provide a vulnerability disclosure policy [4]. This means that the 72.9% of companies identified in the report who do not have a policy, will be in breach of UK law.

John Moor, Managing Director of IoTSF said:

“Naturally it is disappointing to see so many consumer IoT companies still not taking basic steps to maintain their product security. IoTSF members are strong advocates for building secure IoT systems and we work together to help others by sharing knowledge and publishing how-to guides, for those in need – many resources are published for free. There is no excuse – good design and simple hygiene practices mean manufacturers can protect their customers cost-effectively.”

David Rogers, CEO of Copper Horse Ltd., said: “The overall picture remains shocking. If the adoption of vulnerability disclosure policies continues at the current rate, IoT manufacturers won’t be fully compliant until 2039! Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.”

HackerOne Inc., supported the creation of the 2022 report and Laurie Mercer, Senior Manager of Security Engineering said: “Knowing about security vulnerabilities within products and services through a Vulnerability Disclosure Policy (VDP) is an important way to identify and rectify them as part of the product security lifecycle. It’s a best practice that customers are increasingly looking for their supplier to adopt, but this research suggests it is not yet common practice. The fact that the UK has seen higher adoption speaks to the impact government legislation and policy can have on cybersecurity. Mandating VDPs is going to be the most effective way of ensuring consumer safety.”

Moor concluded with an optimistic outlook: “We should also praise those who made it their business to be on the 2022 green list and look forward to the next report, when we trust the legislation, with a possible penalty of up to £20,000 per day, will provide the necessary motivation to get off the red list of companies contained in the report.”

The report can be downloaded here. More reports from the IoTSF can be downloaded for free and without registration here.

[1] https://iotsecuritymapping.com/provision-2/
[2] https://www.iotsecurityfoundation.org/best-practice-guidelines/
[3] https://bills.parliament.uk/bills/3069
[4] https://www.gov.uk/guidance/the-product-security-and-telecommunications-infrastructure-psti-bill-product-security-factsheet

The post IoT Security Foundation Announces Fifth Report on Consumer IoT Vulnerability Disclosure Policy Status appeared first on IoT Business News.

You Might Also Like
  • Boeing machinists on picket lines prepare for lengthy strike: ‘I can last as long as it takes’
  • IHOP rolls out biscuits menu nationwide for the first time as chain fights slowing sales
  • Social Security checks are about to change. Here’s when and how much.
  • Lowe’s becomes latest company to dial back DEI efforts aimed at LGBTQ groups
Share
0
FacebookTwitterPinterestWhatsapp

previous post
Importance of Data Masking Techniques in IoT Landscape: 2023 and Beyond
next post
3 Reasons To Have Local IT Support For Your Tech Needs

You may also like

JetBlue plans to cut flights for New York area amid...

April 4, 2023

Capital One and Discover merger approved by Federal Reserve

April 19, 2025

Boeing’s Starliner losses top $2 billion after spacecraft program reports...

February 5, 2025

Department of Education error could lower U.S. students’ financial aid...

January 10, 2024

UAW strike would show Biden, other leaders it’s time to...

September 7, 2023

Some local Teamsters groups announce Harris endorsements after national union...

September 20, 2024

How on-time rent payments can help ‘credit invisible’ consumers be...

July 18, 2024

Byron Allen puts broadcast TV stations up for sale

June 3, 2025

Panera Brands CEO steps down; CFO to fill in as...

January 8, 2025

Ford F-150 Lightning electric truck fire highlights a growing EV...

April 24, 2023

    Stay updated with the latest news, exclusive offers, and special promotions. Sign up now and be the first to know! As a member, you'll receive curated content, insider tips, and invitations to exclusive events. Don't miss out on being part of something special.


    By opting in you agree to receive emails from us and our affiliates. Your information is secure and your privacy is protected.

    Recent Posts

    • How to Find Compelling Charts in Every Sector

      July 10, 2025
    • White House accuses Powell of mismanaging Federal Reserve, citing headquarters renovation

      July 10, 2025
    • Italian chocolate giant Ferrero to buy Kellogg’s Froot Loops maker

      July 10, 2025
    • OpenAI to release web browser in challenge to Google Chrome

      July 10, 2025
    • Sports executive charged with bid-rigging in Texas arena project

      July 10, 2025

    Popular Posts

    • 1

      Biden appointee played key role in recruiting Chinese...

      June 25, 2024 3,631 views
    • 2

      Trump-era China sanctions ended by Biden may be...

      June 27, 2024 2,919 views
    • 3

      Walz’s honeymoon with China gets fresh scrutiny as...

      August 9, 2024 2,607 views
    • 4

      Shein’s global ambitions leaves some cybersecurity experts fearful...

      July 10, 2024 2,577 views
    • 5

      Harris VP pick spent years promoting research facility...

      August 29, 2024 2,449 views

    Categories

    • Economy (7,009)
    • Editor's Pick (2,171)
    • Investing (538)
    • Stock (2,662)

    Popular Posts

    • 1

      Biden appointee played key role in recruiting Chinese businesses to Delaware: ‘Longtime friends’

      June 25, 2024
    • 2

      Trump-era China sanctions ended by Biden may be revived under new House GOP bill

      June 27, 2024
    • 3

      Walz’s honeymoon with China gets fresh scrutiny as Harris camp blasts ‘lying’ critics

      August 9, 2024
    • 4

      Shein’s global ambitions leaves some cybersecurity experts fearful of Chinese spy threats

      July 10, 2024
    • 5

      Harris VP pick spent years promoting research facility that collaborated with ‘Chinese military company’

      August 29, 2024

    Latest News

    • How to Find Compelling Charts in Every Sector

      July 10, 2025
    • White House accuses Powell of mismanaging Federal Reserve, citing headquarters...

      July 10, 2025
    • Italian chocolate giant Ferrero to buy Kellogg’s Froot Loops maker

      July 10, 2025

    Categories

    • Economy (7,009)
    • Editor's Pick (2,171)
    • Investing (538)
    • Stock (2,662)

    Disclaimer: RoundTableThoughts.com, its managers, its employees, and assigns (collectively “The Company”) do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

    Copyright © 2024 RoundTableThoughts.com. All Rights Reserved.

    Round Table Thoughts
    • Investing
    • Stock
    Round Table Thoughts
    • Economy
    • Editor’s Pick

    Read alsox

    Google launches first AI-powered Android update...

    August 14, 2024

    Amazon is raising free-shipping minimums for...

    August 31, 2023

    Law firm rescinds job offers to...

    October 19, 2023
    Sign In

    Keep me signed in until I sign out

    Forgot your password?

    Password Recovery

    A new password will be emailed to you.

    Have received a new password? Login here