As part of making consumer IoT devices more secure, Consumer Reports decided to see how many of 75 popular connected device companies made it easy for security researchers to report potential vulnerabilities. If they saw something, was it easy for them to say something? This has been an issue for our testing team when we find problems and then don’t have a way to work with the company to address — such as when we found insecure doorbell cameras sold on major platforms like Amazon and Temu that could be easily hacked.
The good news is that 72% of companies we looked at did have a dedicated point of contact for security researchers. The bad news is that companies making baby toys, door locks and connected faucets did not.
We also looked at how many companies have vulnerability disclosure policies as recommended by both NIST and CISA, and tried to evaluate how robust different programs were, looking at factors such as: responding to vulnerability reports within a reasonable period of time, establishing a bug bounty program, and committing not to sue security researchers. Simply by reaching out to companies, a few changed their policies or added a dedicated point of contact for security researchers, so even before publishing this research we made positive changes.
We concluding by encouraging companies to develop robust vulnerability disclosure policies, which include:
- adopting a robust vulnerability disclosure program for consumer IoT products;
- communicating receipt of a vulnerability report with the reporting security researcher within one week;
- sharing their bug mitigation plan with the researcher including if they plan to mitigate it and communicate the bug to consumers;
- creating a program to track vulnerabilities over time in their products;
- testing other products that may use the same software for the vulnerability and plan mitigation for those products;
- avoiding non-disclosure agreements for researchers;
- and encouraging researchers to report by pledging not to sue those who conduct their research while following the best practices listed in the publicly available VDP.
Text of full report: Who Ya’ Gonna Call? Why IoT Companies Should Embrace Vulnerability Disclosure Programs