Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Consumer Reports investigation finds many major IoT manufacturers have no vulnerability disclosure programs

July 30, 2024

As part of making consumer IoT devices more secure, Consumer Reports decided to see how many of 75 popular connected device companies made it easy for security researchers to report potential vulnerabilities. If they saw something, was it easy for them to say something? This has been an issue for our testing team when we find problems and then don’t have a way to work with the company to address — such as when we found insecure doorbell cameras sold on major platforms like Amazon and Temu that could be easily hacked.

The good news is that 72% of companies we looked at did have a dedicated point of contact for security researchers. The bad news is that companies making baby toys, door locks and connected faucets did not. 

We also looked at how many companies have vulnerability disclosure policies as recommended by both NIST and CISA, and tried to evaluate how robust different programs were, looking at factors such as: responding to vulnerability reports within a reasonable period of time, establishing a bug bounty program, and committing not to sue security researchers. Simply by reaching out to companies, a few changed their policies or added a dedicated point of contact for security researchers, so even before publishing this research we made positive changes.

We concluding by encouraging companies to develop robust vulnerability disclosure policies, which include:

  • adopting a robust vulnerability disclosure program for consumer IoT products;
  • communicating receipt of a vulnerability report with the reporting security researcher within one week;
  • sharing their bug mitigation plan with the researcher including if they plan to mitigate it and communicate the bug to consumers;
  • creating a program to track vulnerabilities over time in their products;
  • testing other products that may use the same software for the vulnerability and plan mitigation for those products; 
  • avoiding non-disclosure agreements for researchers;
  • and encouraging researchers to report by pledging not to sue those who conduct their research while following the best practices listed in the publicly available VDP.

 

 

Text of full report: Who Ya’ Gonna Call? Why IoT Companies Should Embrace Vulnerability Disclosure Programs

IssuesTech & Privacy
Expert
Justin Brookman
Director, Technology Policy
You Might Also Be Interested In
press release
August 8, 2024
Consumer Reports evaluation of people-search site removal services finds that they are largely ineffective
August 7, 2024
Consumer Reports Submits Petition to Federal Trade Commission Regarding Auto Manufacturer Privacy Intrusions
press release
July 30, 2024
Consumer Reports applauds Texas AG settlement with Meta for violating Texas biometrics law
press release
July 25, 2024
Consumer Reports survey: Many Americans concerned about AI, algorithms