\
Jurisdiction
United Kingdom
Region
Europe
Requirement
Recommended *Coming Soon
Policy
Code of Practice for Software Vendors
Applies to
Software developers, distributors, and resellers
Provision
Principle 3.2
Description
3.2 Ensure the organisation implements and publishes an effective vulnerability disclosure process to support a transparent and open culture within the organisation.  Associated technical control: Implement a vulnerability disclosure policy. (The organisation publishes a vulnerability disclosure policy which provides a public point of contact in order that security researchers and others are able to report issues. Disclosed vulnerabilities are then reported to relevant parties (outlined in the implementation guidance) and acted on in a timely manner.)
Date
TBD
Organization
Department of Science, Innovation, & Technology
View source
Jurisdiction
United Kingdom
Region
Europe
Requirement
Recommended *Coming Soon
Policy
Cyber Security of AI
Applies to
Developers and System Operators
Provision
Principle 6.3, Principle 11.2
Description
6.3 Developers and System Operators shall implement and publish an effective vulnerability disclosure process to support a transparent and open culture within the organisation.  11.2 Developers shall provide security updates and patches, where possible, and notify System Operators and End-users of the security updates. 11.2.1 In instances where updates can’t be provided, Developers shall have mechanisms for escalating issues to the wider community, particularly customers and other Developers. To help deliver this, they could publish bulletins responding to vulnerability disclosures, including detailed and complete common vulnerability enumeration. 
Date
TBD
Organization
Department of Science, Innovation, & Technology
View source
Jurisdiction
United Kingdom
Region
Europe
Requirement
Recommended
Policy
Code of Practice for consumer IoT security
Applies to
Device manufacturers, IoT service providers, mobile application developers, retailers
Provision
Guideline 2
Description
2. Implement a vulnerability disclosure policy  All companies that provide internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.
Date
October 14, 2018
Organization
Department of Science, Innovation, & Technology
View source
Jurisdiction
United Kingdom
Region
Europe
Requirement
Recommended
Policy
Code of practice for app store operators and app developers
Applies to
App Store Operators and App Developers
Provision
Sec. 3
Description

App Store Operators and App Developers listing apps on them should have a VDP (contact details/contact form); App Store Operators should verify that App Developers abide by these practices; App Store Operators should accept vulnerability disclosure reports on behalf of App Developers if they have not acknowledged the vulnerability - if the App Developer still fails to acknowledge the vulnerability, the App Store Operator should delist the app from its platform.

Date
October 24, 2023
Organization
Department of Science, Innovation, & Technology
View source
Jurisdiction
United Kingdom
Region
Europe
Requirement
Required
Policy
Product Security and Telecommunications Infrastructure (PSTI) Act
Applies to
Manufacturers, importers and distributors of consumer connectable products in the UK
Provision
Part 1, Chapter 2, Sec. 8 of the PSTI Act & PSTI Regulations 2023, Schedules 1 and 2
Description

The Product Security and Telecommunications Infrastructure Act 2022, Chapter 1 allows the Secretary of State to specify security requirements for connected devices.

PSTI Regulations 2023, Schedule 1, 2 requires that connected device manufacturers:Provide publicly available information on how to report security issues and publish in English at least one point of contact for security issues relating to their products (hardware or software), including when notifiers will receive acknowledgments and status updates, in an accessible, clear and transparent way, without any prior request for personal information.

Date
April 29, 2024
Organization
UK Parliament
View source
Subscribe to United Kingdom