Copper Horse IoT Security Report Finds Half of IoT Manufacturers Lack Flaw Reporting Channels
Copper Horse IoT Security Report Finds Half of IoT Manufacturers Lack Flaw Reporting Channels
Synopsis- A new Copper Horse study finds most consumer IoT manufacturers still offer no clear way to report security vulnerabilities.
- Adoption of vulnerability disclosure policies is improving slowly, driven by regulation and retailer pressure.
- Millions of connected devices remain exposed due to a long tail of poorly secured products.
More than half of consumer Internet of Things manufacturers still provide no clear method for security researchers to report vulnerabilities, leaving millions of connected devices potentially exposed, according to a new industry report. The findings, reported by IoT Insider, underline persistent weaknesses in how security issues are handled across the consumer IoT market.
The 2025 Copper Horse study, now in its eighth year, analysed 491 companies producing widely used connected devices. It found that only 199 manufacturers, or 40.53 percent, had a publicly available vulnerability disclosure process. The remaining 59.47 percent offered no obvious channel for reporting security weaknesses.
Vulnerability disclosure is widely viewed as one of the most visible indicators of a manufacturer’s commitment to security. Companies that fail to provide a reporting mechanism are often described as “insecurity canaries,” signalling early warnings of broader shortcomings in security practices.
Security firms play a central role in this process. These organisations are typically hired by manufacturers to test IoT devices, identify vulnerabilities, and report them before malicious actors can exploit the flaws.
The report, published in partnership with the IoT Security Foundation, notes that adoption of vulnerability disclosure policies continues to improve, but only gradually. Compared with 2024, uptake increased by just under five percent, highlighting what the authors describe as slow but steady progress.
Of the 491 manufacturers assessed, only 136, or 27.7 percent, met Copper Horse’s compliance threshold. This standard requires not only the existence of a disclosure policy but also clear expectations for how quickly reports will be acknowledged and resolved.
Regulatory pressure is emerging as a key driver of improvement. The study points to the UK’s Product Security and Telecoms Infrastructure (PSTI) Act and preparatory steps for the EU’s forthcoming Cyber Resilience Act (CRA) as significant factors encouraging manufacturers to formalise their disclosure processes.
Retailers are also exerting growing influence. Copper Horse examined leading UK, US, and European retailers to assess whether they stock devices from manufacturers with vulnerability disclosure policies. In the UK, Currys, John Lewis, and Argos were found to have full coverage, with 100 percent of their popular IoT products linked to manufacturers that publish disclosure policies. Across the US and Europe, compliance improved sharply compared with 2024, suggesting that the products driving most sales are becoming more secure.
However, the report cautions that these gains mask a persistent “long tail” of insecure devices. Smaller or less visible manufacturers often lag behind, and many newly adopted disclosure policies are difficult to locate. In several cases, policies are buried within legal or compliance sections rather than clearly signposted security pages or standard security.txt locations. Some security.txt files were found to be incomplete or expired, making it harder for researchers to report vulnerabilities efficiently.
Regional differences are also pronounced. Europe now leads slightly, with 46.5 percent of manufacturers offering disclosure policies, followed by North America at 45.2 percent and Asia at 34.5 percent. South America and Oceania remain significantly underrepresented, with only one manufacturer in each region providing a disclosure policy.
The study also highlights variability in how reports are handled. Some companies rely on proxy disclosure organisations or bug bounty programmes, but response quality and speed vary widely, creating uncertainty for researchers and users alike.
While legislation such as the CRA and PSTI Act is expected to accelerate adoption, the report warns that full compliance will not be mandatory until the EU CRA comes fully into force in 2027. Copper Horse predicts that without stronger regulatory intervention, most consumer IoT manufacturers may not achieve comprehensive vulnerability disclosure coverage until around 2040.
The 2025 findings emphasise a widening gap between leading manufacturers and the rest of the market. While high-profile and popular products are becoming more secure, more than half of manufacturers still provide no way for researchers to report security issues, leaving large numbers of connected devices exposed to potential cyber attacks.
“The headline figures are encouraging, but the insecurity canary is singing loud,” the report concludes. “Legislation may be the only way to ensure the long tail of vulnerable devices is addressed.”
According to reporting by IoT Insider, based on the 2025 Copper Horse study published in partnership with the IoT Security Foundation.
Source: IoT Insider – Have a Story? Address it to the Editor and submit it here
About Copper Horse
Copper Horse is a UK-based cyber security consultancy specialising in the testing and assessment of connected devices and embedded systems. The firm is widely known for its annual vulnerability disclosure studies, which analyse how consumer IoT manufacturers handle the reporting and remediation of security flaws. Now in its eighth year, the Copper Horse research has become a benchmark for measuring transparency and accountability across the IoT industry. Working closely with manufacturers, regulators, and industry bodies such as the IoT Security Foundation, Copper Horse focuses on improving baseline security practices through testing, policy guidance, and public reporting. Its work is frequently cited in discussions around IoT regulation, including the UK’s Product Security and Telecoms Infrastructure Act and the European Union’s Cyber Resilience Act, reflecting its influence on the evolving global IoT security landscape.
Featured image Source: Technology Solutions
Disclaimer
The information provided in this article is for general informational purposes only and from publicly available sources. While we strive for accuracy, we do not make any representations or warranties, express or implied, regarding the completeness, reliability, or validity of the content. This article does not make any direct claims about specific companies, individuals, or organizations. Any references to reports or external sources are for context and do not imply endorsement or verification of any specific allegations. Readers are encouraged to conduct their own research and seek professional advice before making business decisions. We disclaim any liability for any losses or damages incurred as a result of reliance on the information provided.