Engaging with the research community

Verification and validation of IoT security functionality and posture is not limited to processes conducted by the development/test team. There is a rich IoT security research community that performs independent testing of IoT products and services. These researchers will often contact vendors to discuss vulnerabilities discovered during their research.

Make it easy for these researchers to communicate this information to you, and adopt an attitude of collaboration with the community. Show your willingness to accept their input. Provide a process for responsible disclosure that they can follow, and you will have a highly talented and resourceful community aiding you in your efforts to secure your products.

Another approach to employ is the use of bug bounties. You can set a bug bounty to reward researchers for identifying vulnerabilities in your products. It is important to be very specific on the rules of engagement, including what aspects of the product or implementation are within scope.

Although the hardware aspects of the IoT make it somewhat more difficult to coordinate, there are organizations that help facilitate IoT bug bounties. BugCrowd is one such organization, offering both privately—and publicly—scoped bug bounties.