--- title: "ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure" source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure" author: "Sorena AI" description: "What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 303 645 vulnerability disclosure" - "consumer IoT vulnerability policy" - "TS 103 701 IXIT" - "coordinated vulnerability disclosure" - "IoT security reporting" - "ETSI EN 303 645" - "vulnerability disclosure" - "consumer IoT security" - "TS 103 701 evidence" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence. *Artifact Guide* *GLOBAL* *ETSI EN 303 645* ## ETSI EN 303 645 Vulnerability disclosure for consumer IoT products ETSI EN 303 645 expects manufacturers to publish a vulnerability disclosure policy and operate a process for receiving, acknowledging, updating, and acting on reports. Use this FAQ to align public policy text, internal report handling, supplier coordination, and TS 103 701 assessment evidence. Short answer: for consumer IoT products, ETSI EN 303 645 clause 5.2 requires a publicly available vulnerability disclosure policy with reporting contact information and timelines for acknowledgement and status updates. It also says disclosed vulnerabilities should be acted on in a timely manner, with continuous monitoring, identification, and rectification expected for products and services during the defined support period. Timings in this page are source-linked; verify current legal source language before implementation decisions. ## What must the public vulnerability disclosure policy include? The public policy is not just a security mailbox. EN 303 645 provision 5.2-1 says the manufacturer shall make a vulnerability disclosure policy publicly available and that the policy includes contact information for reporting issues plus a timetable for initial acknowledgement and status updates until reported issues are resolved. For visitors, buyers, researchers, and assessors, the policy should make the reporting path visible without requiring private documentation. TS 103 701 turns that into both a conceptual and functional assessment: the test laboratory checks the publication route described in IXIT 2-UserInfo and verifies that the policy is publicly accessible. - Publish a clear external location for the vulnerability disclosure policy, such as a security page or support path that remains reachable without authentication. - Include contact information that lets security researchers and other reporters submit potential vulnerabilities. - State timelines for initial acknowledgement and for status updates until resolution, avoiding vague process text that gives reporters no expectation. - Keep product documentation, app help, or support pages aligned with the public policy location if those channels direct users to report security issues. Sources for this answer: - [ETSI EN 303 645 V2.1.1, clause 5.2](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI requirement for publishing a vulnerability disclosure policy with reporting contact information and acknowledgement/status-update timelines. - [ETSI TS 103 701 V2.1.1, test cases 5.2-1-1 and 5.2-1-2](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment method for checking that the vulnerability disclosure policy publication is available and publicly accessible through IXIT 2-UserInfo. ## How should reported vulnerabilities be handled after disclosure? EN 303 645 provision 5.2-2 says disclosed vulnerabilities should be acted on in a timely manner. The standard explains that timing is incident-specific: software fixes are conventionally completed within 90 days, including patch availability and notification, while hardware fixes can take considerably longer. That means the evidence should describe the decision path for different vulnerability types rather than using a single generic promise. TS 103 701 expects the test laboratory to assess the action and time frame for each disclosed vulnerability type in IXIT 3-VulnTypes, considering the public disclosure policy, severity, criticality, firmware, hardware or software type, process steps, responsibilities, and third-party involvement. - Define how reports are triaged, investigated, confirmed, fixed, mitigated, or escalated for the product and its associated services. - Separate timelines where firmware, cloud service, mobile app, hardware, operating system, or third-party library vulnerabilities follow different paths. - Document who owns each step, including security incident teams, software teams, supplier contacts, and external vendors where relevant. - Avoid claiming a fixed universal remediation deadline unless the evidence supports that timeline for the vulnerability type and deployment route. Sources for this answer: - [ETSI EN 303 645 V2.1.1, provision 5.2-2](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for timely action on disclosed vulnerabilities and the standard's explanation of incident-specific timing. - [ETSI TS 103 701 V2.1.1, test case 5.2-2-1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment method for IXIT 3-VulnTypes action and time-frame evidence, including responsibilities, third-party involvement, and indicators of timely deployment. ## What evidence supports vulnerability monitoring and rectification? EN 303 645 expects manufacturers to continually monitor for, identify, and rectify security vulnerabilities within products and services they sell, produce, have produced, and operate during the defined support period. It also notes that maintaining a list of software components and sub-components is a prerequisite for monitoring product vulnerabilities when products use open-source or third-party software. TS 103 701 maps this to IXIT 5-VulnMon. The assessment asks whether the described monitoring approach systematically gathers vulnerability information that could affect the device under test or its associated services, whether the identification approach determines applicability, and whether the rectification approach addresses or mitigates susceptibility. - Maintain a component inventory or SBOM-level view that can support monitoring for affected software and third-party components. - Record vulnerability sources monitored, the review cadence, how potential matches are assessed for applicability, and how non-applicable findings are documented. - Tie monitoring output back into the same vulnerability handling process used for externally reported issues. - Keep the evidence bounded to the defined support period unless the manufacturer actually continues monitoring and security updates beyond that period. Sources for this answer: - [ETSI EN 303 645 V2.1.1, clause 5.2 explanatory text](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for continuous monitoring, identification, and rectification during the defined support period and component-list prerequisites for vulnerability monitoring. - [ETSI TS 103 701 V2.1.1, test case 5.2-3-1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment method for IXIT 5-VulnMon evidence covering monitoring, identification, and rectification procedures for the DUT and associated services. ## Primary sources - [ETSI EN 303 645 V2.1.1, consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary standard for consumer IoT vulnerability disclosure requirements, including public policy publication, reporting contact information, acknowledgement and status-update timelines, timely action, and vulnerability monitoring during the defined support period. - Quote: "This policy shall include, at a minimum: contact information for the reporting of issues" - [ETSI TS 103 701 V2.1.1, conformance assessment methodology](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for vulnerability disclosure evidence, including IXIT 2-UserInfo, IXIT 3-VulnTypes, IXIT 4-Conf, and IXIT 5-VulnMon. - Quote: "The test group addresses the provision 5.2-1." ## Topic Guides - [ETSI EN 303 645 Applicability and Scope](/artifacts/global/etsi-en-303-645/applicability-and-scope.md): Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment. - [ETSI EN 303 645 compliance: ICS, IXIT, evidence](/artifacts/global/etsi-en-303-645/compliance.md): Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls. - [ETSI EN 303 645 consumer IoT products: what is in scope?](/artifacts/global/etsi-en-303-645/faq/iot-consumer-products.md): ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence. - [ETSI EN 303 645 Current Version Tracker](/artifacts/global/etsi-en-303-645/current-version-tracker.md): Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work. - [ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports](/artifacts/global/etsi-en-303-645/vulnerability-disclosure-cvd-workflow.md): Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence. - [ETSI EN 303 645 Data Protection Provisions](/artifacts/global/etsi-en-303-645/data-protection-provisions.md): source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence. - [ETSI EN 303 645 default passwords: what must consumer IoT teams do?](/artifacts/global/etsi-en-303-645/faq/default-passwords.md): ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence. - [ETSI EN 303 645 FAQ: Consumer IoT Security Questions](/artifacts/global/etsi-en-303-645/faq.md): source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence. - [ETSI EN 303 645 ICS and IXIT Evidence Template](/artifacts/global/etsi-en-303-645/ics-and-ixit-evidence-template.md): Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information. - [ETSI EN 303 645 implementation checklist](/artifacts/global/etsi-en-303-645/implementation-checklist.md): Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims. - [ETSI EN 303 645 Implementation Evidence Guide](/artifacts/global/etsi-en-303-645/implementation-evidence.md): Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence. - [ETSI EN 303 645 IoT Applicability Workflow](/artifacts/global/etsi-en-303-645/iot-applicability-workflow.md): Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability. - [ETSI EN 303 645 personal data deletion FAQ for consumer IoT](/artifacts/global/etsi-en-303-645/faq/personal-data-deletion.md): What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records. - [ETSI EN 303 645 requirements: consumer IoT provision map](/artifacts/global/etsi-en-303-645/requirements.md): Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners. - [ETSI EN 303 645 Secure Update Evidence Workflow](/artifacts/global/etsi-en-303-645/secure-update-evidence-workflow.md): Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs. - [ETSI EN 303 645 Secure Update Workflow](/artifacts/global/etsi-en-303-645/secure-update-workflow.md): Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence. - [ETSI EN 303 645 Secure Updates and Vulnerability Disclosure](/artifacts/global/etsi-en-303-645/secure-update-and-vulnerability-disclosure.md): source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence. - [ETSI EN 303 645 support period: what must consumer IoT teams publish?](/artifacts/global/etsi-en-303-645/faq/support-period.md): ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence. - [ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?](/artifacts/global/etsi-en-303-645/faq/telemetry.md): ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures. - [ETSI EN 303 645 test evidence: what should consumer IoT teams keep?](/artifacts/global/etsi-en-303-645/faq/test-evidence.md): ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks. - [ETSI EN 303 645 vs EU CRA for Consumer IoT](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-eu-cra.md): Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping. - [ETSI EN 303 645 vs RED Cybersecurity Delegated Act](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-red-cybersecurity-delegated-act.md): Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope. - [ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti.md): Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route. - [ETSI TS 103 701 Test Evidence Workflow for EN 303 645](/artifacts/global/etsi-en-303-645/ts-103-701-test-evidence-workflow.md): Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence. - [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md): ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions. *Recommended next step* *Placement: after practical guidance* ## Prepare the policy, timelines, and IXIT evidence together Use the EN 303 645 clause 5.2 requirements and TS 103 701 test cases to align public disclosure text with internal triage, supplier coordination, vulnerability monitoring, and assessment evidence. - [Map disclosure controls to evidence](/solutions/assessment.md): Convert policy text, report timelines, vulnerability types, and monitoring procedures into reviewable control evidence. - [Check a disclosure-policy gap](/solutions/research-copilot.md): Use cited research support when a timeline, supplier handoff, or TS 103 701 evidence field is unclear. - [Discuss ETSI EN 303 645 readiness](/contact.md): Review disclosure scope, public policy content, monitoring evidence, and next implementation steps with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure