As of early 2022, only about 20% of ICT and IoT companies maintain a publicly identifiable dedicated channel for reporting serious security vulnerabilities, leaving many smaller firms and non-regulated products without formal processes to handle third-party issues. ETSI EN 303 645 mandates a Vulnerability Disclosure (CVD) scheme as a critical baseline requirement to ensure ongoing security after a product is deployed, ranking it just below the prevention of default passwords in importance. The new ETSI technical report provides SMEs and larger enterprises with guidance on establishing triage processes, managing third-party vulnerabilities, and adopting a formal disclosure policy to prevent reputational damage from public exploits. By implementing these structured CVD schemes, organizations can effectively identify and resolve flaws like the Log4j bug before they lead to widespread security events.
Keywords: vulnerability disclosure, IoT security, security lifecycle, third-party vulnerabilities, security researchers