Vulnerable Things Aims to Offer a One-Stop Platform for Reporting, Tracking IoT Security Issues
Free for reporters and free-in-beta for manufacturers, Vulnerable Things looks to be a one-stop disclosure service for the IoT.
The IoT Security Foundation is looking to make it easier to report and address vulnerabilities in Internet of Things (IoT) platforms via a dedicated disclosure platform: VulnerableThings.com.
"Vulnerability management is such a fundamental element to IoT cyber-hygiene that it is no surprise that governments and regulators around the world are making this a mandatory requirement," explains John Moor, managing director of the IoT Security Foundation, at the launch of the platform. "As a world leading expert authority on IoT security, IoTSF has published vulnerability disclosure best practices and industry status reports."
"Our conclusions are that industry must do more to protect their customers and their own businesses. We therefore see the need to drive this vital security practice and aim to help make it as simple as possible with the launch of the Vulnerable Things platform – especially for the uninitiated and firms who may lack resources. The service brokers good communications between researchers and vendors and guides both through the process until complete."
The Vulnerable Things platform, the organisation explains, is an off-the-shelf user-friendly vulnerability management tool which offers members everything from policy templates and issue resolution guidelines to a directory of specialist advisors for regulatory compliance issues. Manufacturers are invited to subscribe, and receive a dashboard which puts them in communication with those reporting vulnerabilities in products, platforms, and services; if a vulnerability is reported for a non-member's product, the report is forwarded for secure retrieval.
For security researchers, the reward comes in the form of a similar dashboard which allows them to track manufacturers' progress towards resolving reported issues. While the platform seeks to foster communications between reporters and manufacturers, though, it does not yet offer anything in the way of monetary rewards — unlike rival bug-bounty services.
Vulnerable Things is available for free until the end of January 2021 via the official website, as part of an open beta-test period; pricing beyond that has not been confirmed, beyond reassurance that those reporting vulnerabilities as a guest or a registered user will not be charged.