We’re delighted to announce Release 2 of our popular best practice guide on Vulnerability Disclosure Best Practice.

This is an essential element of cybersecurity hygiene and was one of the first ever guides we published back in 2017 to support our mission to ‘make it safe to connect’. So much has happened in the development of standards and regulation since that publication hence we felt the need to give the guide an overhaul:

  1. Firstly, the leading work of the UK Government (DCMS) with its Code of Practice for Consumer IoT Security [1] prioritised vulnerability disclosure as one of three essential measures which were expected to ‘bring the largest security benefits in the short term’. This was followed by the work of ETSI and its EN 303 645 standard Cyber Security for Consumer Internet of Things [2]- taking that initial work a stage further – specifically the requirement to ‘implement a means to manage reports of vulnerabilities‘. With many regulatory authorities around the world adopting the standard, the direction of travel is clear – fixing vulnerabilities in connected (IoT) products is a basic requirement.
  2. ISO updated both their related standards ISO 30111 and ISO 29147. Whilst the updates are welcome, reintroducing a paywall so they are no longer free to download and use is not.

Our guide, along with other resources on our website, are intended to equip manufacturers with the knowledge needed to start and develop their vulnerability handling procedures and capabilities.

We therefore hope that you will download and use the guide as we believe this single measure will significantly help to secure the IoT for the long-term. We also hope that you’ll help us promote the guide within your organisation and your network so that others can do their part as well.

Finally, we’d like to thank those who contributed their time and expertise in putting the guide together and reviewing the content – your efforts are most gratefully received.

John Moor

Managing Director, IoT Security Foundation