Cybersecurity researchers in the United Kingdom who voluntarily disclose vulnerabilities within the Home Office’s systems may find themselves facing criminal prosecution.
Following the lead of the Ministry of Defence (MoD), the Home Office has launched a vulnerability disclosure platform on HackerOne. However, unlike traditional bug bounty programs, this initiative does not offer financial rewards for identified security flaws. According to the published guidelines, researchers are strictly prohibited from interfering with system operations, modifying data, or gaining unauthorized access to information.
Yet, conducting vulnerability assessments while adhering to the current legal framework presents a fundamental paradox, effectively jeopardizing the very feasibility of legitimate cybersecurity research. The issue stems from the UK’s Computer Misuse Act (CMA) of 1990, which criminalizes any unauthorized access to computer systems, regardless of the researcher’s intent.
The CyberUp campaign has warned that the absence of clear legal safeguards leaves UK-based security specialists vulnerable to legal action. Unlike the Ministry of Defence, which has provided assurances against prosecution, the Home Office has offered no such guarantees.
While CyberUp welcomes the government’s increasing adoption of vulnerability disclosure policies, it argues that the current approach remains inadequate. The organization contends that the lack of legal protection not only endangers cybersecurity professionals but also undermines the nation’s overall digital resilience.
Efforts to reform the CMA have been made in the past. The Labour Party, for instance, previously proposed a public interest defense clause to shield ethical hacking activities conducted for the greater good. However, the proposal failed to pass. Labour representatives acknowledge the critical role of cybersecurity researchers and advocate for an overhaul of the CMA, yet no formal legislative proposals on the matter have been introduced in Parliament.
Meanwhile, other European nations—including Portugal, Belgium, and Malta—have already modernized their legal frameworks, granting explicit protections to ethical hackers. According to CyberUp, the UK risks falling behind in cybersecurity resilience if it fails to update its outdated laws to reflect the evolving digital landscape.
