The U.K. government is contemplating the implementation of voluntary rules urging software vendors to responsibly disclose vulnerabilities in their systems. This initiative follows criticisms over the government’s management of legacy infrastructure. Respondents to a call for comments emphasized the need for government intervention to encourage software vendors to disclose vulnerability details promptly. The report revealed concerns about the systemic risk from vulnerabilities and malware in open-source software components and suggested that government guidance on vulnerability disclosure, a software bill of materials, certifications, and regulations could enhance transparency and cybersecurity.
Approximately 200 stakeholders participated in the call for comments, with respondents highlighting the fear of penalization and reputational damage as deterrents for businesses in reporting software vulnerabilities. The report emphasized that 80% of respondents agreed that more efforts should be made to ensure organizations disclose information quickly to prevent the spread of infection. Challenges associated with software security include risks from open-source software components, difficulties in obtaining adequate funding during the development cycle, and the use of unmonitored third-party open-source libraries. The U.K. government plans to publish voluntary practices for vendors, building on existing standards, to establish baseline expectations for software security.
The respondents recommended government guidance on a software bill of materials, certifications for software vendors and developers, and regulations mandating minimum standards of transparency. The proposed voluntary rules aim to improve the country’s cyber resiliency by setting baseline expectations for software security. The U.K. Department for Science, Innovation, and Technology led the consultation, and the government’s efforts to enhance cyber resiliency come amid pressure to address issues with legacy infrastructure in public offices. The release date for the software vulnerability management rules is unclear, but the government plans to involve software vendors, users, and agencies in developing cybersecurity guardrails and procurement processes.
Reference:
