In this episode, Felix continues his conversation with David Rogers (Copper Horse) about the latest State of Vulnerability Disclosure report and why “what counts as IoT” is messy. They explore how consumer devices end up everywhere (including factories), how category labels can become compliance loopholes, and why good vulnerability disclosure needs more than a generic support page. David also shares concerns about the EU Cyber Resilience Act drifting toward tick-box compliance, and what that could mean for product security teams and, ultimately, all of us. Plus: the report’s dataset is open for anyone to check.

In the first of this two-part episode, Felix is joined by David Rogers (Copper Horse) to unpack a surprisingly powerful way to measure IoT security: vulnerability disclosure policies. David shares what eight years of research reveals about how easy (or impossible) it can be for security researchers to report flaws. We discuss why the lack of a clear route to report vulnerabilities to a vendor is an “insecurity canary” and how security researchers and businesses struggle to get along without enabling easy communications on these topics. We dig into the results from the Copper Horse annual report, the impact of new regulation, and why retailers might be the hidden force improving the market. Plus: the long tail of ultra-cheap devices, and why security shouldn’t be a luxury.

In this episode of the You Gotta Hack That podcast, the conversation continues with Emily, a principal industrial cyber security consultant, as they delve into the real-world threats facing operational technology (OT) environments. The discussion highlights the inadequacies of traditional IT penetration testing when applied to OT networks, emphasizing the need for tailored approaches that consider the unique vulnerabilities and operational realities of these systems. Emily and Felix explore the concept of dwell time, illustrating how sophisticated attackers can remain undetected within networks for extended periods, gathering intelligence before launching attacks. They stress the importance of understanding actual risks and the necessity of continuous monitoring and testing to ensure robust cyber security measures are in place.