UK Software Security Code of Practice · DSIT & NCSC

Vulnerability management for the UK Software Code

The Code asks software vendors to manage and disclose vulnerabilities, ship timely security updates and be clear about support and end-of-life. IsItPatched delivers the practical side from an SBOM — a component inventory, known and actively-exploited CVEs, the minimum safe version, end-of-life tracking and exportable evidence. A way to get ahead of where UK software rules are heading.

Scan your SBOM → Monitor your components Export UK Code pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for UK software vendors

Software & SaaS vendors

Signal that you take secure maintenance seriously — and get ahead of where UK software-security expectations are heading.

Suppliers to government

Public-sector buyers increasingly expect secure-by-design practices. Evidence your vulnerability-management process.

Engineering & security leads

A repeatable record: know your components, prioritise by exploitation, ship the safe version, track end-of-life.

The Code's principles → what IsItPatched gives you

Know your components

Scan a CycloneDX/SPDX SBOM for a per-component inventory of the third-party and open-source software you ship.

Scan an SBOM →

Manage vulnerabilities

Each component's CVEs identified and prioritised by actively-exploited (CISA KEV) and high-EPSS status.

See actively-exploited CVEs →

Ship security updates

The minimum safe version and a critical-first queue tell you exactly what to update before you ship.

Open your dashboard →

Communicate support & EOL

End-of-life tracking helps you be upfront about support periods; export a risk register / VEX as evidence.

End-of-life calendar →

Export your evidence — today, free

Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
CycloneDX VEX document (exploitability + remediation per component)
Software risk register (CSV / print-to-PDF) citing the exact versions you run
A prioritised, known-exploited-first patch queue — your vulnerability-management record

Build your evidence →

Straight with you: the Code is voluntary guidance covering the whole software lifecycle — secure design, build-environment security, deployment and customer communication. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps with the vulnerability-management, security-update and end-of-life parts specifically. It is not a certification and not legal advice. Disclaimer.

UK Software Security Code — frequently asked

What is the UK Software Security Code of Practice?

It is a voluntary code published by the UK government (DSIT) with the NCSC, setting baseline expectations for organisations that develop and sell software. Its principles span secure design and development, building software securely, secure deployment and maintenance, and clear communication with customers — including vulnerability management and disclosure, providing timely security updates, and being upfront about support periods and end-of-life.

How does IsItPatched help with the Code?

It supports the maintenance and communication principles: scan a CycloneDX/SPDX SBOM to know the third-party components in your software, identify and prioritise their known and actively-exploited (CISA KEV) vulnerabilities, see the minimum safe version to ship, track which components are end-of-life, and export evidence of your vulnerability-management process.

Does following the Code with IsItPatched make my software compliant?

The Code is voluntary guidance, not a certification — there is nothing to be "compliant" with in a pass/fail sense. IsItPatched helps you act on the vulnerability-management, security-update and end-of-life parts of it. It is informational, built on public data — not legal advice and not an assurance assessment.

Subject to more than one regime? See all our compliance editions →