It was kind of an open secret that the first vulnerabilities set in were for our first vendor partner Lovense since doing so was helping to build us sort out the steps for a framework for vendors to follow.
We submitted and they verified two vulnerabilities that would have violated users privacy. One was an email enumeration bug that allowed for bulk testing of emails to find out who had accounts (DVE-2016-01) and the other was the users email address being disclosed in the server response even when they did not want it disclosed.
Happy to say that these vulnerabilities have been fixed and that the IoD project can claim that we've actually accomplished our first instance of making the industry a bit safer.
A big thank you to Lovense for their participation and patience and commitment to getting these issues fixed promptly and helping us finesse the process along the way.