In the first of this two-part episode, Felix is joined by David Rogers (Copper Horse) to unpack a surprisingly powerful way to measure IoT security: vulnerability disclosure policies. David shares what eight years of research reveals about how easy (or impossible) it can be for security researchers to report flaws. We discuss why the lack of a clear route to report vulnerabilities to a vendor is an “insecurity canary” and how security researchers and businesses struggle to get along without enabling easy communications on these topics. We dig into the results from the Copper Horse annual report, the impact of new regulation, and why retailers might be the hidden force improving the market. Plus: the long tail of ultra-cheap devices, and why security shouldn’t be a luxury.