ETSI releases a report on coordinated vulnerability disclosure

Sophia Antipolis, 17 February 2022 – ETSI has released on 27 January a Guide to Coordinated Vulnerability Disclosure. The Technical Report ETSI TR 103 838 will help companies and organisations of all sizes to implement a vulnerability disclosure process and fix vulnerability issues before they’re publicly disclosed.

As of early 2022 only about 20% of ICT and IoT companies have a publicly identifiable dedicated means to notify a company of a potentially serious security issue with their products or services. Many companies provide a website “contact us” page or have a presence on social media through which a security issue could be reported. However, in most cases without a formal separate CVD process, many companies lack the internal process to handle such reports in a timely manner especially where third party elements are included in their products.

Alex Leadbeater ETSI TC cyber chair notes that “While some large companies offer excellent paid vulnerability identification CVD schemes, a significant majority of companies ICT and IoT still do not have any form of CVD scheme in place. This is especially true of smaller companies and for companies with products that are not subject to formal regulatory related cyber security or safety testing. Such schemes are equally important for both physical product manufacturers and service or App providers”. 

As mandated in ETSI EN 303 645 Cyber Security for Consumer Internet of Things, Baseline Requirements, a CVD scheme is a key requirement in ensuring on-going strong cyber security after a product has been placed on the market. Ranked after not using default passwords, an inability to handle cyber security vulnerabilities in life has been a significant contributory factor in many recent IoT product security failures.

The ETSI Report contains advice on how to respond to and manage a vulnerability disclosure, a defined triage process, advice on managing vulnerabilities in third party products or suppliers. It also includes an example of a vulnerability disclosure policy. This is especially important for SMEs or larger companies who do not already have experience of CVD schemes or dealing with security vulnerabilities that are reported by security researchers.

Security plays a crucial role in the development and lifecycle of systems, products and services. At any time in the lifecycle, a vulnerability can be found that weakens the security if left unaddressed. If a vulnerability is found in development, this can be addressed before the product is released. Often, however, vulnerabilities are found after a system, product or service has been deployed. In this case, it can be difficult for the finder to know how or where to report the vulnerability.

To remedy this, an organisation should have a vulnerability disclosure process. There are many reasons to do so:

  • A vulnerability disclosure process helps an organisation to respond most effectively to a security vulnerability.
  • By providing a clear process, organisations can receive the information directly so the vulnerability can be addressed, and any associated risk reduced.
  • Vulnerability reports can provide organisations with valuable information that can be used to improve the security of systems, products and services.
  • The presence of a vulnerability disclosure process demonstrates that an organisation takes security seriously.
  • By accepting and receiving vulnerability reports, organisations will reduce the number of vulnerabilities in their systems, products or services.
  • It allows organisations to engage constructively with finders. This engagement means the organisation can receive valuable information that would otherwise be missed, or require additional time and effort to discover.

Having a clearly sign-posted disclosure process demonstrates that an organisation takes security seriously. By contrast, if an organsisation does not provide a vulnerability disclosure route, finders who discover vulnerabilities may resort to public disclosure of the information, or vulnerabilities and subsequent exploits may go undetected until an otherwise avoidable serious widescale security event occurs. This public release can result in reputational damage and can lead to a compromise.

As demonstrated by the recent Log4j security bug, early identification and resolution of security vulnerabilities through a CVD scheme should be a key part of every company’s cyber security strategy.

The Technical Report can be downloaded here.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES
top view three sim cards with smartphone copy space

How new eSIM technologies and specifications can accelerate IoT uptake

Posted on: May 8, 2024

The Internet of Things (IoT) market has grown steadily over the past decade, unlocking new possibilities across diverse industries, driven by innovations in enabling technologies, such as eSIM. However, until

Read more
Oil rigs in sunset, created with Generative AI technology

Iveda receives initial order of 1,000 LevelNOW units from Australian oil giant

Posted on: May 8, 2024

Iveda has announced the launch of LevelNOW, a next-generation tracking and monitoring solution for efficient liquid storage management. LevelNOW targets oil and gas companies, industrial and commercial organisations, government agencies

Read more
FEATURED IoT STORIES
What is IoT answer

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This

Read more
iot adoption

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way

Read more
IoT Now Enterprise Buyers’ Guide Which IoT Platform 2021

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT

Read more
CAT-M1 vs NB-IoT

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more
internet of things isometric illustration of connected things

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for

Read more
iot challenges and issues

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into

Read more