Vulnerability Disclosure: Best Practice Guidelines

Day, Jeff and Kearney, Paul and Moor, John and Marshall, Richard and Bott, Andrew and Poyner, Ian (2021) Vulnerability Disclosure: Best Practice Guidelines. IoT Security Foundation.

IoTSF-Vulnerability-Disclosure-Best-Practice-Guidelines-Release-2.0.pdf - Published Version
Available under License Creative Commons Attribution.

Download (1MB)


It is vital to the commercial interests of providers of Internet of Things (IoT) products and solutions and to the security of their customers, that vulnerabilities are discovered and remediated as soon as possible. Third party security researchers are a valuable adjunct to a provider’s internal resources in addressing this goal. To ensure effective co-operation and maintain good relations with external security researchers, it is important for providers to define and communicate vulnerability disclosure processes that not only describe how they would like vulnerabilities to be reported confidentially to them, but also set expectations as to how they will process and act upon such reports. This process should include provision of feedback to the discovering researcher, and the public announcement of
the security vulnerability, usually after the release of a software patch, hardware fix, or other remediation.

The ETSI 303 645 standard [4], which lays down baseline security requirements for the consumer IoT, includes requirement 5.2, to “Implement a means to manage reports of vulnerabilities”. This states that “The manufacturer shall make a vulnerability disclosure policy publicly available.”, adding that “A vulnerability disclosure policy clearly specifies the process through which security researchers and others are able to report issues.”

This document provides manufacturers, integrators, distributors, and retailers of IoT products and services with a set of guidelines for handling the disclosure of security vulnerabilities, based on best practice and international standards.

Item Type: Other
28 September 2021Accepted
28 September 2021Published Online
Subjects: CAH11 - computing > CAH11-01 - computing > CAH11-01-01 - computer science
Divisions: Faculty of Computing, Engineering and the Built Environment > School of Computing and Digital Technology
Depositing User: Paul Kearney
Date Deposited: 28 Sep 2021 12:18
Last Modified: 22 Mar 2023 12:00

Actions (login required)

View Item View Item


In this section...