IoD Vendor Code Of Conduct
Vendors who partner with the IoD project are asked to adhere to the following code of conduct when dealing with researchers, their findings and with their customers.
Customers security, privacy and safety are your highest priority, even above any marketing, demographic, usage or other data that could be 'mined' from them
You acknowledge that although you try your best, outside researchers have a part to play in securing your devices and your customers and are to be respected for doing so
Participation in the IoD project requires that you adhere to this code of conduct and, as best as you can, the Vendor Best Practices
Your status as a partner and participant will be reviewed from time to time to make sure you have kept up your requirements as laid out here in this code of conduct
There is no financial obligation to participation with the IoD project, however any support, in whatever form you decide is welcome
You will listen to all reports openly and honestly and put them to transparent testing no matter how outlandish the claims
Any vulnerability reported in good will and faith will not be met with any action from a legal standpoint. So long as the researcher is adhering to the IoD code of conduct, lawyers will not be involved, nor any threats of legal action
You will follow, to the best of your abilities, the Vendor Best Practices and attempt to secure your products yourself proactively
You acknowledge that the "Internet of Dongs" project (IoD) is merely an attempt to bring researchers and industry vendors together for mutual benefit. All researchers are independent and not employees, or in any legal sense associated with the project or its creators, administrators or other stakeholders
You will acknowledge, where necessary, the researchers role in finding, disclosing and fixing the vulnerability they reported. Credit where credit is due
You acknowledge that by becoming a partner with IoD does not impose any special protection from researchers looking at your products or from publishing findings after they have been fixed as per the principals of Coordinated Disclosure
Vendors will acknowledge that the IoD project is made of volunteers who cannot test everything all the time and that partnership does not mean their products are totally secure, nor will they claim so. Nothing is ever totally secure.
You recognise that Partnership with IoD means you are being open and transparent to having certain parts of your hardware, software and infrastructure tested independently. It is up to the vendor to conspicuously denote on their site, any restrictions they wish to impose on free-for-all researcher with an eye to keeping these restrictions to a minimum (i.e. out of bounds systems, third party contracted services, etc)
Vendors are under no obligation to provide compensation to researchers. There is no restriction on you doing so however. All compensation should be disclosed publicly to the IoD project with the understanding that you may be creating a precedent non-IoD researchers may come to expect
If you reach a maturity level of your business and security, you will consider participation in a bug bounty program such as Bugcrowd or Hackerone where researchers who find vulnerabilities are financially compensated for their work (put your money where your mouth is)
If you decide to participate in a bug bounty program, you acknowledge that IoD researchers who participate in your bug bounty program are neither more or less capable and deserving of awards for vulnerabilities
You will, where appropriate and negotiation possible, mention your participation with the IoD project in relation to your commitment to security and privacy and allowing external verification and researchers to test your systems. We are not a certification or a 'mark' of security. Security is a process, not a product.