This policy outlines how the IoT Inspector Research Lab handles responsible vulnerability disclosure to product vendors and the general public.

Introduction

IoT Inspector is a platform for automated security analysis and compliance checks of IoT firmware. Our mission is to secure the Internet of Things. In order to discover vulnerabilities and vulnerability patterns within IoT devices and to further enhance automated identification that allows for scalable detection within IoT Inspector, we conduct excessive security research in the area of IoT.

By fixing existing vulnerabilities and applying latest security patches to affected devices; vendors, manufacturers and end users all play integral roles in securing the Internet of Things. Whenever the IoT Inspector Research Lab discovers vulnerabilities in IoT firmware, we aim at responsibly disclosing relevant information to the vendor of the affected IoT device as well as the general public in a way that minimizes potential harm and encourages further security analyses of IoT systems.

But… 

IoT Inspector Research Lab respects the privacy of its clients and confidentiality of analyses conducted via the IoT Inspector platform. As such, IoT Inspector Research Lab will not publicly release any vulnerabilities identified by its clients via the IoT Inspector platform.

Disclosure Process

To follow industry best practices, our responsible disclosure process is based on Google’s vulnerability disclosure policy (https://www.google.com/about/appsecurity/):

We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly, which is why IoT Inspector Research Lab adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, and only share details publicly after 90 days (or sooner if the vendor releases a fix). That deadline can vary in the following ways:

  • If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next workday.
  • Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch.
  • When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action—within 7 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.
  • When devices or software subject to the disclosure process are explicitly designated end-of-life or end-of-support by the vendor, we limit the deadline to 30 days unless we get positive confirmation that an out-of-band patch will be issued by the vendor.
  • As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors equally. IoT Inspector and IoT Inspector Research Lab expect to be held to the same standard.

We may contact computer emergency response teams (CERT) during the responsible disclosure process to coordinate public disclosure in case critical vulnerabilities have been identified that affect a large user base.

Working with Vendors

IoT Inspector Research Lab commits to put reasonable effort into establishing communication with the affected vendor. We try to use the publicly available security contact, otherwise we contact the vendor support through publicly available mechanisms and/or send emails to security@, support@, info@ addresses.

We ask vendors to provide an appropriate security contact including encryption certificates to protect the confidentiality of the security advisory or any further communication.

In no cases will a vulnerability be “kept quiet” because a product vendor does not wish to address it. To maintain transparency in the process, we include the summary of the communication we’ve had with the vendor into the advisory.

We encourage vendors to provide us with updated information to be included in the final security advisory. This could include: the software versions or hardware revisions affected by the bug, number of the fixed version, and a means to obtain the update (e.g. the URL of a website where the security fix or new version can be downloaded).  We recommend the vendor to request CVE numbers for the corresponding vulnerability.

We appreciate if vendors do credit the researcher(s) who identified the security issue and IoT Inspector Research Lab within release notes and announcements made by the vendor.

IoT Inspector Research Lab

The IoT Inspector Research Lab is the integrated research organization of IoT Inspector.

Details on IoT Inspector and the IoT Inspector Research Lab can be found at:
https://www.iot-inspector.com

For any inquiry, feedback or comments please reach out to research (at) iot-inspector.com.