The UK Home Office’s new vulnerability reporting mechanism has sparked concerns among cybersecurity researchers, as it potentially exposes them to prosecution for discovering security flaws. The department recently launched a platform, HackerOne, to allow ethical hackers to report vulnerabilities, although it does not offer a bug bounty reward. The new guidance, aimed at regulating how vulnerabilities should be reported, prohibits researchers from disrupting systems or altering data. However, it also warns them not to break any laws, leaving them vulnerable to prosecution under the UK’s Computer Misuse Act (CMA) of 1990.
The Computer Misuse Act criminalizes unauthorized access to computer systems, irrespective of the intent behind it.
Critics, such as the CyberUp Campaign, have pointed out that this law puts legitimate cybersecurity activities at risk. Although the Ministry of Defence (MoD) offers assurances that researchers will not be prosecuted if they follow good-faith reporting procedures, the Home Office has not extended these same protections. This lack of clarity leaves researchers open to legal action, creating a significant contradiction that has raised concerns about the framework’s effectiveness in fostering responsible cybersecurity disclosure.
Despite the progress made in establishing vulnerability disclosure policies, the Home Office’s latest move has been criticized for failing to support researchers sufficiently. The CyberUp Campaign has urged the government to provide clearer legal protections for cybersecurity professionals who report vulnerabilities in good faith. The issue lies in the outdated Computer Misuse Act, which fails to distinguish between malicious and ethical hacking activities. While the Labour Party proposed reforms to the CMA during its time in opposition, these changes have not been implemented, further complicating the legal landscape for ethical hackers.
The ongoing uncertainty surrounding the CMA and the risks faced by cybersecurity researchers in the UK have made it increasingly difficult for the country to keep up with international standards. Countries like Malta, Portugal, and Belgium have already modernized their laws to protect ethical researchers, while the UK is still grappling with outdated regulations. The CyberUp Campaign has warned that this delay is putting the UK’s national cyber resilience at risk, urging the government to take immediate action to update its laws and support the critical work of cybersecurity professionals.
Reference:
