Product Security and PSTI Compliance

The catalyst for trust in product security.

New UK Product Security and Telecommunications Infrastructure (PSTI) legislation came into force on 29th of April 2024 to protect consumers purchasing connectable products, enabling buyers to make more informed choices.

To view the UTAX PDF document explaining how PSTI is being implemented, download here.



PSTI covers consumer connectable products such as IoT or smart devices in the UK.

  • Manufacturers will have to comply with PSTI’s security standards to ensure that the internet or network connectable products they supply are secure by design and build.
  • All businesses involved in the supply chain of these devices will need to comply with the PSTI regulations to ensure only compliant products are released to market.
  • This includes products that are sold or made available in the market as part of a solution or service, such as a Managed Print Service contract.

    • What are the PSTI requirements?

    The new regulations provide a set of security measures to ensure consumer connectable devices are more secure to help tackle the ongoing threats of cybercrime:



    Weak passwords like ‘Admin 123’ that can be guessed or easily compromised are banned. Compliant products must have a unique password to be legally sold or made available as part of a service in the UK. This applies to both new and refurbished products placed on the market and devices made available as part of a solution or service, such as a Managed Print Service.

    The regulations force manufacturers to take responsibility to maintain the products they sell by requiring them to publish a Vulnerability Disclosure Policy. Manufacturers will need to identify and flag any product security vulnerabilities and provide a mechanism for third parties to report identified risks.

    The regulations require the minimum length of time that products will be supported with security updates to be published. This will help inform purchasing decisions.

    All products made available to the market must be accompanied by a statement of compliance.

    Further details on PSTI and how it could affect UTAX devices and those selling them, can be found here.



    What does it mean for UTAX Products?

    The legislation has only been applied to A4 products as these have been identified as products that could be suitable for home/personal use. As a result, UTAX A4 devices will be shipped with individual passwords to protect the devices. Below are instructions on where to locate the device password.

    Please note, relevant PSTI information will be located in the device box, so it is the responsibility of the organisation opening and installing the device to locate and administer the supplied password.

    What’s in the box?

  • All UTAX A4 printers and MFPs shipped with a Statement of Compliance and a unique password in the box.
  • Packaging will be clearly marked making it easy to identify PSTI compliant products.

    • What does it mean for customers?

    Ultimately PSTI will give customers confidence and help them make informed purchasing decisions. The regulations are a force for good and long overdue. Products are already highly regulated to ensure they do not cause physical harm from overheating, or electrical interference. Now connectable devices will need to protect consumers from cyber harm, including loss of privacy and personal data.



    Password reset

    Need to reset your device password? Call 0345 680 1815 to talk to our support team or email technical@utax.co.uk.



    Report a security vulnerability

    Click here to report a vulnerability or a known security issue with a UTAX PSTI compliant device.



    PSTI compliant devices

    All UTAX’s A4 printers and MFPs that need to be PSTI compliant out of the box are listed here.

    Improved Reporting of Security Issues

    UTAX (UK) Ltd are committed to providing secure products and services (referred to as “Products,” hereafter) such as MFPs, printers, solutions, and applications.

    Cyberattacks have become more severe and sophisticated around the world. UTAX constantly monitors these advanced cyberattacks to reduce cybersecurity risks and enhance customers’ cybersecurity and privacy when using our products. Under these circumstances, our commitment to customers is for us to make a vulnerability response in a timely and efficient manner from the initial investigation up to the resolution of reported vulnerability issues. This commitment enables our customers to use our products securely and with ease.

    Once a vulnerability is discovered, UTAX focuses on responding promptly and appropriately, including responding to customers based on security vulnerability information. PSIRT (*1) generally proceeds in the following four steps: (1) gathering and sharing security vulnerability information, (2) investigating security issues and analysing their impact on our products, (3) taking security measures against vulnerabilities, and (4) announcing to the public.



    (1) Gathering and sharing security vulnerability information

    UTAX checks security information using official open databases of vulnerability information such as CVE, JPCERT and gathers security information from the press, such as newspapers and the Internet. More information is also provided by contacting the customer’s nearest sales company or by inter-office members.

    CVE: Common Vulnerabilities and Exposures JPCERT: Japan Computer Emergency Response Team

    (2) Investigating security issues and analysing their impact on our products

    We investigate and analyse the phenomenon’s effects when a vulnerability is exploited and the difficulty and conditions when a malicious attacker tries to exploit a vulnerability.

    (3) Taking security measures against vulnerabilities

    After the investigation and analysis, if the results indicate that there is an impact, the development division continues to prepare technical and operational measures, such as applying security patches.

    (4) Announcing to the public

    We announce our security measures on the UTAX website, the PSIRT contact window, sales companies, or a service person.

    We value dialogue with vulnerability reporters, handle reported vulnerability information in good faith, and fulfil our responsibility by disclosing vulnerability information in a timely and appropriate manner.

    Circumstances

    The Vulnerability Disclosure Policy is applied to include the following circumstances:

  • A potential vulnerability affecting products is disclosed to the public.
  • A potential vulnerability existing in products is reported by an external third party.
  • A vulnerability impacting released products is discovered internally.


    • Vulnerability Handling Scope

    UTAX considers any individual issues caused by including some weakness in coding or configuration that leads to your vulnerable design are not our vulnerability. We value vulnerability information submitted by reporters. However, whether the reported vulnerability information applies to the vulnerability handling scope will be determined by UTAX PSIRT.

    We encourage you to report vulnerability information that can provide us with significant information that helps improve the security of products for customers. Before submission of a vulnerability report, please read this Vulnerability Disclosure Policy thoroughly and follow the process described in the following section (i.e., What to expect) in compliance with this policy. Please also note that we do not have a bug bounty program, so you cannot request monetary compensation based upon acknowledgment of the reported vulnerability.

    Contact

    If a vulnerability is discovered in our products, submit your vulnerability report using the reporting form below. However, if you do not wish to directly contact UTAX, we recommend submitting your report through the Coordination Centre in your country (i.e., CERT/CC) (*2).

    Content

    If possible, please submit your report containing the following detailed information:

  • Reporter’s name and contact information
  • Name of the product that contains the potential vulnerability
  • The product version that contains the potential vulnerability
  • Type of the potential vulnerability (e.g., Information Disclosure, Privilege Escalation, Remote Code Execution, etc.)
  • Impact of the potential vulnerability
  • Steps in the specific and detailed process to reproduce the potential vulnerability
  • The circumstance that an attacker requires to exploit the vulnerability
  • Proof-of-concept code
  • Public, third-party reports of vulnerabilities (i.e., references)
  • Date when you have discovered the vulnerability
  • Others, additional information


    • (*2) The Coordination Center coordinates incident response related to stakeholders in your country in the event of an incident.

    After a vulnerability is reported to UTAX PSIRT, we acknowledge receipt of the vulnerability report. We handle the process according to the following phases:

    Receipt

    In the receipt phase, a vulnerability reporter receives acknowledgement within 3 of our working days. The next correspondence is determined upon completion of our initial investigation. We will keep you informed of our vulnerability analysis status.

    Verification

    In the verification phase, we need to confirm with the respective development divisions for any reported vulnerability. We investigate and analyse the phenomenon’s effects when a vulnerability is exploited and the difficulty and conditions when a vulnerability is exploited. We ask that you provide us with a reasonable amount of time (at least 90 days from the acknowledgement) to resolve the issue before you disclose it publicly.

    Remediation

    In the remediation phase, the respective development divisions complete vulnerability analysis, such as the vulnerability’s potential impact on our products, possible effects when the vulnerability is exploited, and the difficulty and conditions when a malicious attacker attempts to exploit the vulnerability and validate software remediation, mitigation, and workaround. Based upon the results, the timeline will be determined so we can take temporary and permanent security measures, respectively. If a vulnerability significantly impacts the global markets and takes time to remediate, alternative mitigation measures will be offered to customers. We will provide customers with adequate security measures as soon as possible and be as transparent as possible about the steps we take during the remediation process, including on issues or challenges that may delay resolution. We will communicate closely with the vulnerability reporter.

    Publication

    We are responsible for the appropriate disclosure of vulnerability information and extend the same responsibility to reporters. If UTAX PSIRT determines that the vulnerability information is critical to customers, like when there is a possibility of personal information leaks, we will publish security-related information (i.e., the advisory) on our security page of the UTAX company global website and UTAX Group company website in your country. For any public release, please coordinate with UTAX PSIRT or Computer Emergency Response Team Coordination Center (CERT/CC) (in case you contact CERT/CC in your country). Note that we create the disclosure contents based on the coordination.

    You must not:

  • Violate laws/regulations/standards enacted in respective countries/regions.
  • Share or re-distribute any data obtained through our products to third parties.
  • Submit the report by using a product obtained improperly through a malicious person.
  • Attempt to contact us utilizing vulnerable communication.
  • Report any vulnerabilities related to Denial of Services (DoS or DDoS).
  • Submit the report on products that are not brought in line with best practices.
  • Submit the report on TLS configuration weaknesses e.g., TLS1.0 support.
  • Use social engineering attacks.
  • Demand monetary compensation to disclose any vulnerabilities.


    • You must:

  • Be compliant with all relevant laws/acts, standards, data protection, and privacy laws.
  • Securely delete all data used during your vulnerability investigation/analysis/research as soon as it is no longer required (*3).


    • (*3) Reference: Article 17 General Data Protection Regulation (GDPR) Right to erasure (‘right to be forgotten’)

    UTAX does not claim any ownership rights to the information included in the reported Vulnerability Disclosure under this Policy, including, but not limited to, any data, text, material, program code, suggestion and recommendation received from the reporter (“Reported Vulnerability Information”).

    By providing any Reported Vulnerability Information to UTAX, the reporter

  • grants us the following non-exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property in the Reported Vulnerability Information:
  • to use, review, assess, test, and otherwise analyse the Reported Vulnerability Information; and
  • to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of the Reported Vulnerability Information and all its content, in whole or in part, for the purpose of fixing the reported vulnerabilities, improving Products, and marketing, sale and promotion of such improved Products;
  • agrees to sign any documentation that may be required for us or our designees to confirm the rights the reporter granted above;
  • understands and acknowledges that we may have developed or commissioned materials similar or identical to the Reported Vulnerability Information, and the reporter waives any claims or rights it may have resulting from any similarities to the Reported Vulnerability Information;
  • understands and acknowledges that it is not guaranteed any compensation or credit for Reported Vulnerability Information; and
  • represents and warrants that it hasn’t included any of personal data in Reported Vulnerability Information, it hasn’t used any information or intellectual property owned by a third party in violation of legal or contractual requirements, and that the reporter has the legal right to provide the Reported Vulnerability Information to us subject to this Policy.


    • UTAX Devices Covered

    UTAX (UK) Ltd shall, as standard, support all in-scope devices for a period of no less than three years from the point the relevant model was first made available in the UK.

    These support periods are reviewed on a continual basis and extended where it is deemed prudent to do so, for the benefit of the consumer. At no point shall the support periods advertised on this webpage be reduced, therefore not complying with the PSTI legislation. Please refer to the in-scope models and applicable support periods outlined below:

  • 358ci: Date available: July 2023 | End of Support: 31st July 2026
  • 458ci: Date available: July 2023 | End of Support: 31st July 2026

  • P-3521 MFP: Date available: November 2016 | End of Support: 31st December 2024
  • P-3522DW: Date available: November 2016 | End of Support: 31st December 2024
  • P-3527w MFP: Date available: November 2016 | End of Support: 31st December 2024

  • P-4020 MFP: Date available: November 2016 | End of Support: 31st December 2024
  • P-4020DN: Date available: December 2016 | End of Support: 31st December 2024
  • P-4020DW: Date available: November 2016 | End of Support: 31st December 2024
  • P-4025w MFP: Date available: November 2016 | End of Support: 31st December 2024
  • P-4026iw MFP: Date available: November 2016 | End of Support: 31st December 2024

  • P-4532 MFP: Date available: March 2023 | End of Support: 31st March 2026
  • P-4532i MFP: Date available: March 2023 | End of Support: 31st March 2026
  • P-4539 MFP: Date available: March 2023 | End of Support: 31st March 2026
  • P-4539i MFP: Date available: March 2023 | End of Support: 31st March 2026
  • P-5539i MFP: Date available: March 2023 | End of Support: 31st March 2026
  • P-6039i MFP: Date available: March 2023 | End of Support: 31st March 2026

  • P-4534DN: Date available: January 2023 | End of Support: 31st January 2026
  • P-5034DN: Date available: January 2023 | End of Support: 31st January 2026
  • P-5534DN: Date available: January 2023 | End of Support: 31st January 2026
  • P-6034DN: Date available: January 2023 | End of Support: 31st January 2026

  • P-C2650DW: Date available: November 2016 | End of Support: 31st December 2024
  • P-C2655w MFP: Date available: November 2016 | End of Support: 31st December 2024

  • P458ci: Date available: July 2023 | End of Support: 31st July 2026
  • P-C3563DN: Date available: July 2023 | End of Support: 31st July 2026
  • P-C4063DN: Date available: July 2023 | End of Support: 31st July 2026
  • P-C3563i MFP: Date available: July 2023 | End of Support: 31st July 2026
  • P-C3567i MFP: Date available: July 2023 | End of Support: 31st July 2026
  • P-C4063i MFP: Date available: July 2023 | End of Support: 31st July 2026
  • P-C4067i MFP: Date available: July 2023 | End of Support: 31st July 2026


    • Search this website
    Close Menu