UK PSTI Act: ‘World first’ IoT security rules offer reminder of VDP virtues

May 10, 2024

Man wearing black smart watch

A new UK cybersecurity law shows that governments are losing patience with the widespread failure to implement basic security measures for connected devices.

In force since 29 April, the Product Security and Telecommunications Infrastructure (PSTI) Act mandates that Internet of Things (IoT) manufacturers must publish contact information for anyone – from users to security researchers – to report security vulnerabilities in their internet-enabled devices. The information should be “accessible, clear and transparent”, according to UK government guidance.

Manufacturers are also obliged to give reporters of suspected vulnerabilities timescales for acknowledging vulnerability reports and status updates until the issue is remediated or invalidated.

According to 2023 research (PDF) conducted by UK cybersecurity firm Copper Horse for the IoT Security Foundation, 76% of smart device vendors still provided no means for security researchers to contact them.


Hailed by the UK government as a “world first”, the PSTI regime also proscribes weak and easily guessable default passwords like ‘admin’ or ‘12345’. Shipping products with easily guessable default passwords enables devastating attacks such as the corralling of hundreds of thousands of devices into the Mirai botnet, which brought down numerous popular websites in 2016.

A third PSTI security requirement mandates a commitment to a minimum end date for sustaining security updates – again, “in a clear, accessible and transparent manner”. Committing to finding and fixing vulnerabilities and rolling out patches over the long haul gives vendors an edge in winning consumer trust and complying with increasingly stringent regulation around the world.

UK households own an average of nine connected devices, according to the UK government. Amid reports of vulnerabilities that enable cybercriminals to take over devices and covertly view footage from security cameras, connected toys and smart baby monitors, UK Minister for Cyber Viscount Camrose said the new law should give consumers “greater peace of mind”.

Anyone can report a product they suspect is failing to comply with the PSTI legislation to the Office for Product Safety and Standards (OPSS). Organisations found to have flouted the law can be fined.

Automotive vehicles are exempt from the law since separate legislation is being drafted for online automotive systems.

Copper Horse CEO David Rogers said: “Manufacturers should not be providing anyone with products like webcams that are so weak and insecure that they are trivial to hack into and takeover. This stops now and people [in the UK] can have greater confidence that the internet connected products that they buy have better security measures built-in to protect them.”

VDP: Best practice for secure, coordinated vulnerability disclosure

A Vulnerability Disclosure Policy (VDP) is the most secure and efficient means of complying with vulnerability reporting requirements, such as those prescribed by the PSTI regulations.

VDPs are advocated by NIST, ENISA and CISA and prescribed through standards ISO 29147 and ISO 30111. A US government-wide VDP platform “facilitated the remediation of 1,119 vulnerabilities out of 1,330 unique, validated submissions” in its first two years of operation.

As a secure channel for coordinated vulnerability disclosure, a VDP shows your customers that you take security seriously and and can fruitfully complement a Bug Bounty Program.

YesWeHack can help you create a branded VDP in line with industry best practices and your specific requirements and integrate it into your website. Other product features:

  • Unified interface for receiving reports and managing vulnerabilities
  • Receive only valid, actionable reports thanks to our in-house triage service
  • Triage team can evaluate bug severity and liaise with security researchers
  • End-to-end encryption ensures confidential communication