Close this search box.

New Vulnerability Disclosure Policy Requirement: Australian Government Releases Draft Code of Practice for IoT Security


In response to the threat of insecure IoT devices, the Australian Government has released a draft code of practice for “Securing the Internet of Things for Consumers”. This guide is a positive step, because of the extensive damage that insecure IoT devices can wreak on our connected world.

The code is voluntary, aiming to “help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption”.

It contains 13 principles and was written for an industry audience under the advice of the Australian Cyber Security Centre (ACSC) and the United Kingdom, which has also created a similar code.

The draft document states that the first three principles are the most important:

  • No duplicated, default or weak passwords – IoT devices need to have strong and unique passwords.
  • Implement a vulnerability disclosure policy – Manufacturers, providers and developers should establish a point of contact where vulnerabilities can be disclosed.
  • Keep software securely updated – Manufacturers, providers and developers should make it easy for users to update their devices. The process should be clear and security updates should be issued in a prompt manner.

These are absolute security basics, and should be adhered to in all situations to provide a solid base. The subsequent principles include guidelines that direct tech companies to store credentials securely, protect personal data, minimise exposed attack surfaces and ensure software integrity.

The document was published as a collaboration between the Department of Home Affairs, the Australian Signals Directorate and the ACSC. It was unveiled at the 2019 Home Affairs Industry Summit in Melbourne. The Minister for Home Affairs, Peter Dutton, elaborated on why the code of practice was developed:

“This rapid growth in connectivity brings significant benefits to all Australians,” he said, “However, many of these devices have poor cyber security features, posing risks to Australian families, our economy and national security.

“The safety of Australians and the security of our economy is paramount. That’s why the Morrison Government has developed a voluntary Code of Practice to inform industry about the cyber security features expected of these devices in Australia.”

The code of practice was published as a draft, with a public consultation period running until March. While the consultation period should allow the industry and consumers to have their voices heard, we need to consider it in the context of the last major data legislation.

When the draft of the Assistance and Access Bill (Australia’s anti-encryption laws) was published, it was met with heavy criticism from the industry and other parties. Several Atlassian employees summarised the comments, showing that nearly all of them were against the legislation in some way. Despite this condemnation, the bill still passed with minimal changes.

While the threat from poor IoT security makes this code of practice like a commendable move by the government, one has to question why such a code is voluntary. Surely strict regulation would be more effective than guidelines that organisations may possibly ignore.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →