Picture the scene, a researcher discovers a security issue in a product, but can’t find a contact point for reporting the problem. Or, details are submitted to a device maker, but the company keeps the researcher in the dark on what happens next and whether any headway has been made. Both scenarios frustrate progress in building and maintaining products that consumers can trust. Clear lines of communication are key to widening the net for catching issues and vulnerability disclosure best practice helps make this happen. But how well are IoT providers following the guidelines?