UK's Product Security and Telecoms Infrastructure (PSTI) Compliance

The UK Product Security and Telecommunications Infrastructure (PSTI) Act establishes a mandatory security framework for consumer-connected products, such as smartphones and other smart devices. It requires manufacturers, importers, and distributors to take proactive steps to strengthen product resilience against cyber threats.

Effective from 29 April 2024, the Act sets out baseline security requirements that manufacturers must meet to protect consumers from risks including data breaches, fraud, and other forms of cyber attack.

No Default Passwords

Consumer-connectable products in the UK (e.g., smartphones) must not be supplied with universal default passwords. Unplugged does not provide preset passwords on any device. All passwords are created by the user during setup or later in Settings.

Reporting cyber security issues

If you find a vulnerability in UP Phone, UnpluggedOS, our preinstalled apps, or Unplugged-operated services, please report it.

Contact: security@unplugged.com

Include:

• Product/model and version (OS and/or app)
• Affected component
• Clear reproduction steps / proof of concept (PoC)
• Impact
• Your contact details (name, email, and optional phone)

We aim to respond promptly and, in any case, will acknowledge within 5 business days, provide an initial triage update within 10 business days, and coordinate a fix and disclosure. The default coordinated disclosure window is up to 90 days (adjusted for severity or active exploitation).

Security updates (UK)

UP Phone receives security updates for at least two years from first sale. For UP Phone, we will provide security updates through 31 July 2027. Updates include OS and pre-installed app patches, vulnerability fixes, and other security improvements delivered over the air. After that date, the phone will continue to function, but new security updates may not be provided. We may extend this date, but we will not bring it forward.