--- title: "UK PSTI Act: step-by-step vulnerability disclosure process workflow" canonical_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/vulnerability-disclosure-workflow" source_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/vulnerability-disclosure-workflow" author: "Sorena AI" description: "UK PSTI Product Security guidance for Vulnerability Disclosure Workflow, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "UK PSTI Product Security" - "Vulnerability Disclosure Workflow" - "UK PSTI Product Security Vulnerability Disclosure Workflow" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK PSTI Act: step-by-step vulnerability disclosure process workflow UK PSTI Product Security guidance for Vulnerability Disclosure Workflow, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *UK* *Vulnerability Disclosure Workflow* ## UK PSTI Product Security Vulnerability Disclosure Workflow Vulnerability Disclosure Workflow decisions under UK PSTI Product Security should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed. Use this guide to turn official requirements into scope, evidence, owner, and review decisions. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation. This page helps you determine which UK PSTI Product Security duties apply, who owns each action, required evidence, and the review path for escalation decisions. ## How should a Vulnerability Disclosure Workflow run under UK PSTI Product Security? Treat the workflow as an intake and response process: receive the security report, record the product and reporter details, confirm the report can be acted on, track the acknowledgement and status-update timings promised to the reporter, assess whether the issue is in scope, and escalate any compliance failure through the business and OPSS notification process when needed. - Log the report, product, reporter contact details, source quote, and the date it was received. - Acknowledge receipt using the timescale published for the product and record the next status-update date. - Check whether the product is in scope, whether the issue affects a duty in Chapter 2 of the PSTI Act, and whether the report needs legal, security, or product-owner review. - Assign an owner for triage, remediation, customer messaging, and any OPSS notification required for a compliance failure. - Record the decision, the action taken, the evidence location, and any follow-up review date. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports the PSTI vulnerability-disclosure workflow requirement to publish reporting information and expected acknowledgement and status-update timescales. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Workflow support for Vulnerability Disclosure Workflow. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - GOV.UK guidance for manufacturers, importers, and distributors on PSTI product security compliance. ## What fields should the Vulnerability Disclosure Workflow template capture? A useful template captures the intake details, the promised acknowledgement and status-update timings, the scope decision, the remediation owner, any escalation path, and the evidence needed to show that the report was handled in line with the published process. - Report ID, reporter contact, product name or model, receipt date, and source quote. - Expected acknowledgement time, next status-update date, and final closure date. - Scope decision, in-scope or out-of-scope reason, and the chapter 2 duty affected. - Assigned owner, escalation contact, remediation action, customer messaging note, and OPSS notification record if a compliance failure is identified. - Evidence link, approval note, exception note, and review cadence. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Template field support for Vulnerability Disclosure Workflow. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - GOV.UK guidance for manufacturers, importers, and distributors on PSTI product security compliance. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Template field support for Vulnerability Disclosure Workflow. ## How should teams review and improve the Vulnerability Disclosure Workflow? Review the workflow after firmware changes, supplier changes, product bundling changes, UK market placement changes, vulnerability reports, OPSS notices, or support-period updates. - Track recurring exception categories and update intake questions. - Remove fields that never affect the decision. - Add fields when reviews show missing source evidence or unclear ownership. - Confirm generated markdown and page content include the same visible source-linked guidance. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports the PSTI vulnerability-disclosure workflow requirement to publish reporting information and expected acknowledgement and status-update timescales. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Review support for Vulnerability Disclosure Workflow. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - GOV.UK guidance for manufacturers, importers, and distributors on PSTI product security compliance. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Review support for Vulnerability Disclosure Workflow. *Recommended next step* *Placement: after the practical guidance* ## Turn UK PSTI Product Security Vulnerability Disclosure Workflow into assigned work Use this UK PSTI Product Security guide to turn Vulnerability Disclosure Workflow into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena. - [Open Assessment Autopilot for UK PSTI Product Security](/solutions/assessment.md): Turn Vulnerability Disclosure Workflow into scoped questions, evidence fields, and review tasks. - [Review UK PSTI Product Security source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Discuss UK PSTI vulnerability disclosure implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. ## Primary sources - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports the PSTI vulnerability-disclosure workflow requirement to publish reporting information and expected acknowledgement and status-update timescales. - Quote: "publishing information on how to report security issues" - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Supports Vulnerability Disclosure Workflow under UK PSTI Product Security. - Quote: "The manufacturer must provide information on how to report to them security issues about their product." - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - GOV.UK guidance for manufacturers, importers, and distributors on PSTI product security compliance. - Quote: "publishing information on how to report security issues" - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Supports Vulnerability Disclosure Workflow under UK PSTI Product Security. - Quote: "The government has been working with the tech industry to better secure consumer connectable products for several years" - [THE PRODUCT SECURITY AND TELECOMMUNICATIONS INFRASTRUCTURE (SECURITY REQUIREMENTS FOR RELEVANT CONNECTABLE PRODUCTS) REGULATIONS 2023](https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksiem_20231007_en_001.pdf?ref=sorena.io) - Supports Vulnerability Disclosure Workflow under UK PSTI Product Security. - Quote: "security requirements for relevant connectable products" ## Related Topic Guides - [UK PSTI Act relevant connectable products: full scope and category definitions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-products-scope.md): UK PSTI Product Security guidance for Relevant Connectable Products Scope, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act statement of compliance: evidence requirements and audit documentation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-and-evidence.md): UK PSTI Product Security guidance for Statement Of Compliance And Evidence, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act statement of compliance: what must the SoC contain?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance.md): UK PSTI Product Security guidance for Statement Of Compliance, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act: is your product a relevant connectable product? scope test](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-product-scope.md): UK PSTI Product Security guidance for Relevant Connectable Product Scope, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act: step-by-step statement of compliance preparation workflow](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-workflow.md): UK PSTI Product Security guidance for Statement Of Compliance Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act: vulnerability disclosure policy requirements and template](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/vulnerability-disclosure-policy.md): UK PSTI Product Security guidance for Vulnerability Disclosure Policy, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Default Password Requirements](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/default-password-requirements.md): A source-linked guide to the UK PSTI default password rule for consumer connectable products: unique passwords, user-defined setup, prohibited patterns, and evidence to keep. - [UK PSTI Product Security Applicability Test Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/applicability-test.md): Practical guidance for the UK PSTI Product Security applicability test, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Checklist](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/checklist.md): Practical guidance for the UK PSTI Product Security checklist, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Compliance Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/compliance.md): Practical guidance for the UK PSTI Product Security compliance, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Deadlines and Compliance Calendar Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/deadlines-and-compliance-calendar.md): UK PSTI Product Security guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security ETSI Evidence Mapping Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/etsi-evidence-mapping.md): UK PSTI Product Security guidance for ETSI Evidence Mapping, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security FAQ](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq.md): Practical guidance for the UK PSTI Product Security FAQ, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Importer And Distributor Duties Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/importer-and-distributor-duties.md): UK PSTI Product Security guidance for Importer And Distributor Duties, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Minimum Support Period And Update Transparency Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/minimum-support-period-and-update-transparency.md): UK PSTI Product Security guidance for Minimum Support Period And Update Transparency, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security OPSS Enforcement and Penalties Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-enforcement-and-penalties.md): UK PSTI Product Security guidance for OPSS enforcement and penalties, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security OPSS Notices Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-notices.md): UK PSTI Product Security guidance for OPSS Notices, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security penalties and fines Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/penalties-and-fines.md): UK PSTI Product Security guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI Password And Update Policy Requirements Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-password-and-update-policy-requirements.md): UK PSTI Product Security guidance for PSTI Password And Update Policy Requirements, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI Scope Classifier Workflow Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-scope-classifier-workflow.md): UK PSTI Product Security guidance for PSTI Scope Classifier Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI Statement Of Compliance Template Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-statement-of-compliance-template.md): UK PSTI Product Security guidance for PSTI Statement Of Compliance Template, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI vs CRA Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-cra.md): UK PSTI Product Security guidance for PSTI vs CRA, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI vs ETSI EN 303 645 Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-etsi-en-303-645.md): UK PSTI Product Security guidance for PSTI vs ETSI EN 303 645, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI vs EU Cyber Resilience Act Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-eu-cyber-resilience-act.md): UK PSTI Product Security guidance for PSTI vs EU Cyber Resilience Act, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Requirements Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/requirements.md): Practical guidance for the UK PSTI Product Security requirements, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Requirements In Practice Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/security-requirements-in-practice.md): UK PSTI Product Security guidance for Security Requirements In Practice, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Supply Chain Roles Manufacturer Importer Distributor Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/supply-chain-roles-manufacturer-importer-distributor.md): UK PSTI Product Security guidance for Supply Chain Roles Manufacturer Importer Distributor, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Support Period Evidence Workflow Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/support-period-evidence-workflow.md): UK PSTI Product Security guidance for Support Period Evidence Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI vs Australia Cyber Security Act Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-australia-cyber-security-act.md): UK PSTI Product Security guidance for PSTI vs Australia Cyber Security Act, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md): UK PSTI Product Security guidance for Default Passwords, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md): UK PSTI Product Security guidance for ETSI Evidence, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Excepted Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md): UK PSTI Product Security guidance for Excepted Products, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Importer And Distributor Duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md): UK PSTI Product Security guidance for Importer And Distributor Duties, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md): UK PSTI Product Security guidance for OPSS Notices, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Relevant Connectable Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md): UK PSTI Product Security guidance for Relevant Connectable Products, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md): UK PSTI Product Security guidance for Statement Of Compliance, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md): UK PSTI Product Security guidance for Support Periods, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Update Transparency under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md): UK PSTI Product Security guidance for Update Transparency, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Vulnerability Disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md): UK PSTI Product Security guidance for Vulnerability Disclosure, with practical decisions, evidence, edge cases, and external source citations. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/vulnerability-disclosure-workflow