We recently contributed to the Department of Commerce’s request for public comment on its “Green Paper” with Rapid7, Duo Security, Electronic Frontier Foundation, Center for Democracy & Technology, Global Cyber Alliance and many others that we hope will bolster a more transparent approach to securing the Internet of Things.
The Department of Commerce document is entitled “Fostering the Advancement of the Internet of Things,” but it’s more commonly known as the “Green Paper”. The document addresses the current technological and policy landscape relating to IoT and identifies key issues that can impact the deployment of IoT technologies, highlights potential benefits and challenges, and discusses what role, if any, the U.S. Government should play in this evolving landscape.
We, along with the signed companies, congratulate the proactive approach the government is taking to take hold of the burgeoning IoT landscape, but have two specific recommendations to make in regards to how IoT companies should work with independent security researchers.
Our two recommendations are…
1. More clearly articulating the benefit of adopting coordinated vulnerability disclosure and handling processes for IoT device and software providers.
Having worked with many IoT companies to support their coordinated disclosure and bug bounty programs, we have seen the value of encouraging outside independent research. IoT attack surfaces are broad and complex, and hardening attack surface through traditional testing methods is near impossible.
Having a clear process in place improves overall security while helping protect security researchers, giving them a way to communicate their vulnerability findings, and reducing the risk of conflict or misunderstanding.
Encouraging IoT vendors to adopt strategies that include vulnerability disclosure and handling processes, we believe, makes the Green Paper more complete.
2. Committing to continue working with the IoT industry, government bodies, and other stakeholders to promote voluntary adoption of coordinated vulnerability disclosure and handling processes.
Having explicit commitment, we believe, articulates the importance of promoting voluntary adoption of vulnerability disclosure in an ongoing way.
We are proud to be able to contribute to this important conversation and you can view the letter we sent here: Joint Comments on “Fostering the Advancement of the Internet of Things”