United Kingdom https://www.hackerone.com/ en Code of Practice for Software Vendors https://www.hackerone.com/node/2376 Code of Practice for Software Vendors h1_admin Mon, 07/29/2024 - 16:24 Jurisdiction United Kingdom Region Europe Requirement Recommended *Coming Soon Organization Department of Science, Innovation, & Technology Provision Principle 3.2 Applies to Software developers, distributors, and resellers Date TBD Description 3.2 Ensure the organisation implements and publishes an effective vulnerability disclosure process to support a transparent and open culture within the organisation.  Associated technical control: Implement a vulnerability disclosure policy. (The organisation publishes a vulnerability disclosure policy which provides a public point of contact in order that security researchers and others are able to report issues. Disclosed vulnerabilities are then reported to relevant parties (outlined in the implementation guidance) and acted on in a timely manner.) https://www.gov.uk/government/calls-for-evidence/call-for-views-on-the-code-of-… ]]> Mon, 29 Jul 2024 21:24:38 +0000 h1_admin 2376 at https://www.hackerone.com Cyber Security of AI https://www.hackerone.com/node/2375 Cyber Security of AI h1_admin Mon, 07/29/2024 - 16:23 Jurisdiction United Kingdom Region Europe Requirement Recommended *Coming Soon Organization Department of Science, Innovation, & Technology Provision Principle 6.3, Principle 11.2 Applies to Developers and System Operators Date TBD Description 6.3 Developers and System Operators shall implement and publish an effective vulnerability disclosure process to support a transparent and open culture within the organisation.  11.2 Developers shall provide security updates and patches, where possible, and notify System Operators and End-users of the security updates. 11.2.1 In instances where updates can’t be provided, Developers shall have mechanisms for escalating issues to the wider community, particularly customers and other Developers. To help deliver this, they could publish bulletins responding to vulnerability disclosures, including detailed and complete common vulnerability enumeration.  https://www.gov.uk/government/calls-for-evidence/call-for-views-on-the-cyber-se… ]]> Mon, 29 Jul 2024 21:23:13 +0000 h1_admin 2375 at https://www.hackerone.com Code of Practice for consumer IoT security https://www.hackerone.com/node/2374 Code of Practice for consumer IoT security h1_admin Mon, 07/29/2024 - 16:19 Jurisdiction United Kingdom Region Europe Requirement Recommended Organization Department of Science, Innovation, & Technology Provision Guideline 2 Applies to Device manufacturers, IoT service providers, mobile application developers, retailers Date October 14, 2018 Description 2. Implement a vulnerability disclosure policy  All companies that provide internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner. https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-se… ]]> Mon, 29 Jul 2024 21:19:54 +0000 h1_admin 2374 at https://www.hackerone.com Code of practice for app store operators and app developers https://www.hackerone.com/node/2336 Code of practice for app store operators and app developers h1_admin Fri, 07/26/2024 - 12:39 Jurisdiction United Kingdom Region Europe Requirement Recommended Organization Department of Science, Innovation, & Technology Provision Sec. 3 Applies to App Store Operators and App Developers Date October 24, 2023 Description

App Store Operators and App Developers listing apps on them should have a VDP (contact details/contact form); App Store Operators should verify that App Developers abide by these practices; App Store Operators should accept vulnerability disclosure reports on behalf of App Developers if they have not acknowledged the vulnerability - if the App Developer still fails to acknowledge the vulnerability, the App Store Operator should delist the app from its platform.

https://www.gov.uk/government/publications/code-of-practice-for-app-store-opera… ]]> Fri, 26 Jul 2024 17:39:34 +0000 h1_admin 2336 at https://www.hackerone.com Product Security and Telecommunications Infrastructure (PSTI) Act https://www.hackerone.com/node/2335 Product Security and Telecommunications Infrastructure (PSTI) Act h1_admin Fri, 07/26/2024 - 11:54 Jurisdiction United Kingdom Region Europe Requirement Required Organization UK Parliament Provision Part 1, Chapter 2, Sec. 8 of the PSTI Act & PSTI Regulations 2023, Schedules 1 and 2 Applies to Manufacturers, importers and distributors of consumer connectable products in the UK Date April 29, 2024 Description

The Product Security and Telecommunications Infrastructure Act 2022, Chapter 1 allows the Secretary of State to specify security requirements for connected devices.

PSTI Regulations 2023, Schedule 1, 2 requires that connected device manufacturers:Provide publicly available information on how to report security issues and publish in English at least one point of contact for security issues relating to their products (hardware or software), including when notifiers will receive acknowledgments and status updates, in an accessible, clear and transparent way, without any prior request for personal information.

https://www.legislation.gov.uk/uksi/2023/1007/contents/made ]]> Fri, 26 Jul 2024 16:54:34 +0000 h1_admin 2335 at https://www.hackerone.com