Improving Internet of Things Vulnerability Disclosure and Coordination

Internet of Things (“IoT”), specifically in the consumer space, describes an environment where consumer devices, connected to the Internet in a smart home, communicate to each other directly or through the cloud. Cheap manufacturing and a fast-growing market brought billions such devices in everyday homes, and consequently new concerns emerged about their security. The complexity added by these new systems, with fragmented in-house hardware and software platforms, have been recently the target of both scrutiny and controversy. When IoT devices get hacked it’s no longer just “script kiddies” and part-time hackers, it’s state actors and national security on the line. Where for PCs there is a robust cybersecurity product market (eg. “antivirus”), the majority of IoT devices in households are designed with little or no regard towards cybersecurity and the typical consumer’s understanding of how to secure these is lacking. Effective ways to safeguard IoT products are bug bounties, programs that offer a financial reward to anyone discovering vulnerabilities, but they are costly and hard to manage, thus usually adopted by more mature companies. All manufacturers can additionally benefit from responsible vulnerability disclosure, or ethical hacking, where researchers attempt to find vulnerabilities for recognition or as a public service. Unfortunately disclosing and coordinating vulnerability research challenges are downplayed. This paper proposes to investigate impact, discuss time considerations, and suggest potential solutions for consumers, companies, and regulators to mitigate and improve IoT vulnerability reporting, fixing and disclosure.