More than half of all consumer IoT manufacturers provide no method for security researchers to report flaws, leaving millions of connected devices potentially exposed, a new report has found.
The 2025 Copper Horse study, now in its eighth year, analysed 491 companies producing popular connected devices and found that only 199, or 40.53%, had a publicly available vulnerability disclosure process. The remaining 59.47% offered no clear channel for reporting security weaknesses.
Vulnerability disclosure is widely regarded as one of the few visible indicators of a manufacturer’s commitment to security. Companies that fail to offer a reporting mechanism are seen as “insecurity canaries”, signalling early warnings about poor security practices.
Security firms are companies that test IoT devices for security flaws, usually paid by manufacturers to find and report vulnerabilities before hackers can exploit them.
The report, published in partnership with the IoT Security Foundation, found that adoption of vulnerability disclosure policies has been slow but steady, increasing by just under 5% compared to 2024.
Of the 491 manufacturers analysed, 136, or 27.7%, passed Copper Horse’s threshold test for compliance, meaning they not only had a policy but also outlined expected timelines for acknowledgement and resolution.
These improvements were often driven by the UK’s Product Security and Telecoms Infrastructure (PSTI) Act and anticipatory measures for the EU’s forthcoming Cyber Resilience Act (CRA).
Retailers are also playing a critical role. The Copper Horse study examined leading UK, US, and European sellers to see which stocked devices from manufacturers with disclosure policies.
In the UK, Currys, John Lewis, and Argos were found to have 100% of their popular IoT products covered by vulnerability disclosure policies. Across the US and Europe, compliance improved dramatically compared with 2024, suggesting that products driving the majority of sales are increasingly secure.
However, the report cautions that these improvements mask a persistent “long tail” of insecure devices from smaller or less visible manufacturers. Many new adopters of disclosure policies place them in hard-to-find areas of their websites, such as legal compliance sections, rather than in standard /security pages or well-known security.txt locations. In some cases, security.txt implementations were incomplete or expired, making it harder for researchers to report vulnerabilities efficiently.
Regional differences were also noted. Europe now slightly leads in adoption rates at 46.5% of manufacturers, with North America at 45.2% and Asia at 34.5%. South America and Oceania remain poorly represented, with only one manufacturer in each region providing a disclosure policy.
The report also highlighted that while some companies use proxy disclosure organisations or bug bounty programmes to manage reports, response efficiency can vary widely.
Experts warn that while legislation like the CRA and PSTI Act is expected to accelerate adoption, full compliance will not be mandatory until the EU CRA is fully in effect in 2027. Copper Horse predicts that without regulatory intervention, the majority of consumer IoT manufacturers may not achieve full vulnerability disclosure coverage until around 2040.
The 2025 report emphasises that while the most visible and popular products are increasingly secure, the market as a whole still leaves consumers at risk. Over half of manufacturers still provide no means for researchers to report security issues, signalling that millions of IoT devices remain exposed to potential cyber attacks.
“The headline figures are encouraging, but the insecurity canary is singing loud,” the report concludes, “legislation may be the only way to ensure the long tail of vulnerable devices is addressed.”
