from Consumer Reports (link above):
We also didn’t find a vulnerability disclosure program for these businesses:
- Aerogarden (Aerogarden has a web form tied to a BugCrowd form but it is not live, which means no one can actually use it to report an issue)
- Abode
- Aqara
- Bissell
- Chamberlain MyQ (Chamberlain doesn’t have a dedicated point of contact for security researchers but does have an ISO 27001 certification, which means it does manage risks related to the security of data owned or handled by the company according to a reputable standard)
- Delta
- Eight Sleep
- Fisher Price/Mattel
- Genie/Overhead Door
- Hydrow
- Level
- Lockly
- Lutron
- Moen
- Orbit/B-Hyve
- Sleep Number
- Tempo
- Tonal
- Trane
- Vizio
- Whirlpool (A Whirpool spokesperson says Whirlpool Corporation has a full vulnerability disclosure program for externally facing systems and that this will be expanded to IoT / Production Security in the near future)
The following additional companies do not have a formal vulnerability disclosure program that we could find, but they do have a dedicated security reporting contact:
- D-Link
- Ecovacs
- Garmin
- Kholer
- NordicTrak (iFit)
- Tuya
The following companies do have dedicated points of contact for security researchers:
- Allegion/Schlage
- Amazon
- Assa Abloy (Kwikset)
- Ecobee
- Eufy/Anker
- Eve Home
- Feit
- GE Appliances
- Govee
- HiSense
- The Home Depot
- iRobot
- Nanoleaf
- Owlet
- Peloton
- Rachio
- Reolink
- Resideo
- Roborock
- Roku
- Samsung
- Savant/GE Lighting
- Schneider Electric
- Shelley
- Signify
- SimpliSafe
- Vivint
- Belkin (Wemo)
- LG
- ADT
- Apple
- Arlo
- Bosch
- Comcast
- D-Link
- Ecovacs
- Electrolux/Frigidaire
- Fortune Brands (Yale, August, Master Lock)
- Garmin
- Hasbro
- IKEA
- Kohler
- Kidde/Carrier
- Meross
- Miele
- NordicTrak (iFit)
- Sengled
- Shark
- Sony
- Tuya
- Wyze