Michael Woolslayer
Policy Counsel

Vulnerability Disclosure Policy Requirements for UK Smart Products

Smart thermostat

New security regulations for connected devices and related guidance enter into force in the United Kingdom at the end of April. The UK Product Security and Telecommunications Infrastructure (PSTI) Act establishes baseline security expectations for consumer smart (e.g., Internet of Things or IoT) products.

HackerOne actively engaged the UK government during the development of these regulations, emphasizing the importance of adoption of robust vulnerability disclosure policies (VDPs) for the cybersecurity ecosystem.

Who does the PSTI regulate?

The regulation mainly applies to device manufacturers of consumer products that can connect to the internet and that are sold in the UK (i.e., smart or IoT devices). There are some exempted products, such as certain smart metering devices, smart charge points, medical devices, and types of computers. 

What does the PSTI aim to do?

The PSTI, particularly in Part 1, aims to improve the security of consumer smart products by making manufacturers who sell to UK consumers comply with baseline security requirements. Those baselines are similar to the top three principles in the voluntary Code of Practice for Consumer Internet of Things (IoT) Security

What are the PSTI’s security requirements?

The requirements generally reflect parts of a widely used standard for baseline cybersecurity for consumer smart devices.

Key security requirements in the regulation include:

  1. Unique Passwords: Software for each device must have unique default passwords, or users must be able to set their own. These passwords must avoid easily guessable or simplistic derivations (such as counting in increments).
     
  2. Reporting Security Issues: Manufacturers must publish clear, accessible, and transparent information on how persons may report security vulnerabilities to the manufacturer (e.g., a vulnerability disclosure program or VDP). This process should include expected timelines for acknowledgment and resolution updates, and should not request the personal information of the person making the report.
     
  3. Security Update Information: Manufacturers must provide clear and accessible information about the minimum period for which security updates will be provided for the device, including an end date.

How does a covered product manufacturer demonstrate compliance — and what happens if it doesn’t comply?

Those subject to the PSTI must submit a statement of compliance with basic information about the product and the manufacturer. The PSTI also imposes several additional duties on manufacturers, including to investigate potential compliance failures, take action in relation to compliance failure, and maintain records related to its compliance.

Failure to comply with the PSTI could result in a penalty up to the greater of (a) £10 million or (b) 4% of qualifying worldwide revenue for the most recent accounting period.

When do these requirements take effect?

April 29, 2024.

What’s the likely impact of these new requirements?

With stronger default security practices, such as unique passwords, consumer smart devices will be more resilient out of the box. Transparency around the security support date will help consumers make informed purchasing decisions, fostering additional marketplace competition based on security. The requirements also help pave the way for a more standardized approach to device security, potentially reducing the fragmentation in security practices across different manufacturers.

More specifically, ensuring that organizations have a process to receive and fix vulnerabilities is already a best practice recommended by many of the most widely adopted cybersecurity frameworks and standards. VDPs foster a collaborative environment where security researchers, consumers, and manufacturers work together to enhance product security. Early vulnerability disclosure helps mitigate potential cyber threats before they escalate into larger security incidents. By requiring manufacturers to provide clear channels for reporting vulnerabilities, the regulation will help to ensure quicker identification and resolution of security flaws, ultimately protecting consumers.

We might be subject to these new requirements — what should we do?

With the deadline rapidly approaching, you should review your existing security program and update or begin to implement any of the baseline security requirements that you’re not yet aligned with. 

vulnerability disclosure program on the HackerOne platform is a streamlined way to receive, manage, and track incoming vulnerability disclosures with access to the industry’s most trusted and reputable ethical hackers. Contact HackerOne to learn more.

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image