UK Home Office’s new vulnerability reporting mechanism leaves researchers open to prosecution

Individuals in the United Kingdom who report cybersecurity vulnerabilities to the Home Office are at risk of facing prosecution for the simple act of discovering those vulnerabilities — even if they comply with new guidance the government department published on Monday.

The Home Office — responsible for security, law and order — is the latest British government department to offer ethical hackers a way to help secure its systems using the vulnerability reporting platform HackerOne, although without receiving a “bug bounty” payment. The Ministry of Defence (MoD) first piloted the approach in 2021.

Its new guidance sets restrictions for researchers, including prohibiting them from disrupting the vulnerable systems or accessing or modifying data.

But it additionally warns those researchers they must not “break any applicable law or regulations,” potentially undermining legitimate vulnerability discovery activity due to the U.K.’s Computer Misuse Act dating back to 1990.

The warning leaves individuals who submit vulnerability reports to the Home Office open to prosecution, according to the CyberUp Campaign, a collection of industry partners, alongside academics and professionals, which warns that the Computer Misuse Act criminalizes legitimate cybersecurity activities.

“While the MoD assures good-faith researchers they won’t be prosecuted, the Home Office offers no such protections, leaving them open to third-party legal action. It’s a glaring contradiction that highlights why greater legal certainty is needed urgently,” a CyberUp spokesperson told Recorded Future News.

A spokesperson for the Home Office declined to comment.

The campaign said it welcomed “the progress UK public bodies, including government departments, are making in developing and publishing vulnerability disclosure policies, as recognition of the crucial role cyber security researchers play in improving the country’s digital resilience,” but it regretted the lack of support for researchers making those reports.

“Despite increasing adoption of responsible and coordinated disclosure policies across private and public sector organisations, any disclosure in the UK by a researcher still carries serious legal risks,” the CyberUp spokesperson said.

“The Computer Misuse Act — an archaic law written in 1990 when just 0.5% of the population had internet access — blanketly criminalises all unauthorised access to computer systems, irrespective of intent or motive to act in the public interest,” they added.

While in opposition, the Labour Party had proposed a legal amendment to the CMA that would have introduced a public interest defense for hackers, although this was not passed at the time.

Praising cybersecurity workers at a conference last year, the Labour security minister Dan Jarvis said: “This country, our country, is enormously in the debt of many of you in this room who strive day in and day out to protect us all. Your dedication and your accomplishments have never been more important.”

He said the government was considering reforming the Computer Misuse Act, although no such reform has yet been introduced to parliament and the Home Office declined to comment on the current status of these considerations. The CyberUp campaign warns the delay is harming the country’s economy and resilience to cyberattacks.

“Other nations aren’t making the same mistake. Malta, Portugal and Belgium have already modernised their laws to protect ethical researchers,” said the CyberUp spokesperson. “The UK is lagging behind, and it’s putting our national cyber resilience at risk. We need to move now — before it’s too late.”