The Computer Misuse Act fix that isn't

We covered the Computer Misuse Act being added to the legislative pipeline a few weeks ago, in what the Cyber Security and Resilience Bill actually means and again in computer misuse act reform, finally on the bill. The shape of the reform is now public, and the consensus among the people who actually do this work is that the proposed defence is so narrow it protects almost no one. It is worth understanding why, because the reform will go through anyway and the practical position for UK firms and researchers will look largely as it does today.

What the government proposed

On 21 May, Security Minister Dan Jarvis pledged the government would introduce "a statutory defence... as long as they meet certain safeguards" for security researchers acting in good faith under the Computer Misuse Act 1990. The act, on which most prosecutions for unauthorised access to a computer in the UK still rest, was passed before the world wide web existed. It does not distinguish between a criminal breaking into a system and a security researcher who finds and reports a vulnerability. Both have technically committed the same offence. For thirty-six years, the defence in real cases has been prosecutorial discretion, which is not much of a defence.

The pledged statutory defence sounded, in the announcement, like the long-asked-for fix. The detail of what was actually proposed makes it something else.

What the defence actually covers

Three restrictions, in combination, are what makes this a narrow defence.

Accreditation. The defence applies only to British nationals who hold a UK Cyber Security Council accreditation. The Cyber Security Council was set up by government in 2021 to professionalise the sector. Roughly 300 people currently hold its top accreditation. The UK security sector employs about 70,000 people. The defence, as proposed, covers 0.4% of the workforce.

Scope. The defence applies only to scanning internet-facing systems for known vulnerabilities. The researcher must stop the moment they find one. They cannot assess the severity, cannot confirm it is exploitable, cannot test the blast radius, and cannot demonstrate the impact to the affected organisation. They are essentially limited to "I saw it and looked away".

Personnel. Tests must be carried out personally. The researcher cannot delegate to a junior colleague, an automated scanner, or an AI assistant. The phrase "automated tools" is doing a lot of work here; almost no real-world security testing happens without them.

Each restriction is debatable on its own. The combination is not really a statutory defence; it is a list of conditions for being allowed to do almost nothing.

Why the experts said no

Jen Ellis, a cyber policy consultant and government advisor who has spent years working on this reform, summarised it as "a misalignment between expectations and reality". The proposed defence, in her assessment, would "impede" research while favouring large companies. The reasoning is straightforward: large firms can afford to send their accredited British researchers to do limited scans; bug-bounty hunters, academics, hobbyists, and the small consultancies that catch most real-world vulnerabilities cannot.

The criticism from the sector, summarised in The Record's report and echoed by the CyberUp Campaign which has been lobbying on this for nearly a decade:

The accreditation requirement is a pay-to-play model that locks out the people who report most vulnerabilities.
The "stop on discovery" rule means researchers cannot tell the affected organisation how bad the problem is, which is the most useful part of the report.
The personal-conduct rule criminalises the use of normal scanning tools, which is most of how security work is done.
The British-nationals-only rule excludes a large fraction of the people doing legitimate research on UK systems, including UK residents who are not British nationals.

The protections the proposal does not address are the ones the sector has been asking for since 2017:

A defence for accessing attacker-controlled infrastructure during an active incident. This is what threat researchers do when they take over a command-and-control server to dismantle a botnet, and it is currently unlawful under the act as drafted.
A defence for AI-driven vulnerability discovery, where the human role is to direct the tool and review the output.
A defence for non-UK residents researching UK systems in good faith.
A defence for informal disclosure, where a researcher reports a bug they noticed in passing without having set out to test the system.

What the practical position becomes

If the reform passes as drafted, the position for most UK firms and most UK researchers is largely as it is today.

If you are a UK firm running a bug-bounty programme or accepting external reports. Continue to do what you already do. The defence in practice will still come from your policy and the public-interest disclosure framework around it. Make sure your responsible-disclosure policy is published, that it explicitly authorises reasonable testing, and that it includes the standard "safe harbour" clauses that say you will not pursue legal action against researchers acting within its terms. The model policies from disclose.io and bugcrowd are good starting points. The CyberUp Campaign also publishes a recommended template.

If you are a UK security researcher. Get your reports in writing, with the firm's published policy alongside, before you do the work. The legal protection you will rely on is not the statutory defence; it is the documented authorisation. The accreditation route will be useful for working on the largest internet-facing scans, and worth pursuing if your job sits there, but it is not a defence for most of what the sector does.

If you are a UK SME being scanned by a researcher. A short published security-disclosure page on your website goes a very long way. Two paragraphs. How to report a vulnerability, an email address that is monitored, a statement that you will not pursue legal action against researchers acting in good faith, and a commitment to acknowledge reports within a defined window. That page is the asset that converts a worried email from a researcher into a useful one. The .well-known/security.txt format is the standard place to put it. We have one on this site.

Why this still matters

The thing not to lose, in the disappointment about the proposal, is that this is the closest the UK has come to a statutory researcher defence in thirty-six years. The reform is bad on the merits. It is also progress, in the sense that the door is now open and the next round of changes will be amendments to an existing defence rather than the creation of a new one. The CyberUp Campaign has been at this for almost a decade and the conversation is now in front of Parliament.

The realistic timeline: the bill goes through largely as drafted. The CyberUp Campaign and others push for amendments at committee stage. Some land, most do not. The act gets revisited again in three to five years, when the gap between what the defence covers and what the sector actually does becomes too embarrassing to leave. The next revision, in that timeline, is the one that produces a workable defence.

In the meantime, the practical fix for any UK firm is the same as it has been for the last decade. Publish a disclosure policy. Make it generous. Mean what it says. That moves more vulnerabilities to your inbox than any statutory defence would.

How Steelwise can help

Writing a security disclosure policy, publishing it in the right place, and setting up the inbox process behind it is the kind of practical work we do with clients. Get in touch.