A Safer Future for Security Research: Landmark Moves in Portugal and the UK

2025 is shaping up to be a pivotal year for protections for good-faith security researchers.

Two recent developments—Portugal’s new national cybersecurity law and the UK government’s indication that it may introduce a statutory defence to the Computer Misuse Act—signal that governments are increasingly recognizing in law what the security community has long known: security researchers are essential partners in building a more secure digital future.

For years, researchers have worked in a legal gray area. Even when acting responsibly and in the public interest, ambiguity in anti-hacking laws and other legal frameworks could inadvertently expose them to criminal or civil liability. That uncertainty discourages research, slows vulnerability reporting, undermines coordinated disclosure, and ultimately leaves everyone less safe.

The reforms in Portugal and the UK are important steps toward reducing these risks and supporting responsible security research.

Toward a Security Research Safe Harbor in Portugal

In Portugal, Decreto-Lei 125/2025, published on December 4, 2025, implements the EU’s Network and Information Systems (NIS2) Directive and updates the legal cybersecurity framework for operators of essential and important entities in Portugal. Within that framework, Article 7 revises the Portuguese cybercrime law to recognize and protect individuals who help identify vulnerabilities in good faith.

The changes acknowledge that some forms of testing may occur without an explicit authorization or involve unexpected or technical boundary-crossing but still serve a legitimate defensive purpose. Under the new provision, good-faith security research is not punishable if the researcher meets certain conditions, including:

• Acting only to find vulnerabilities, seeking no improper financial gain, using proportionate methods, and immediately reporting the vulnerability to the system owner, data holder, and national cybersecurity authority;
• Avoiding harmful actions, like disrupting systems, damaging or altering data, copying data unnecessarily, or causing harm--and prohibited techniques, like DoS/DDoS, social engineering, phishing, credential theft, and malware installation; and
• Deleting any data obtained within 10 days after the vulnerability is fixed.

Article 7 provides a foundation for a security research safe harbor in Portugal. If accompanied by clear guidance, it can help give good-faith security researchers confidence that they will be treated as contributors to cybersecurity rather than as suspects and signal to organizations that working with the research community is an essential part of modern cyber risk management.

The UK’s Anticipated Statutory Defence to the Computer Misuse Act

In the United Kingdom, attention focuses on reform of the Computer Misuse Act 1990 (CMA). The CMA was drafted long before the modern digital ecosystem developed, and it has often been criticized for failing to distinguish between malicious activity and good-faith security research.

During a recent keynote address at the FT Cyber Resilience Summit 2025, Security Minister Dan Jarvis announced that the government may introduce a statutory defence for legitimate cybersecurity research under the CMA.

Under the proposed change, a researcher who tests a system, discovers a vulnerability, and reports it responsibly would be able to raise a legal justification that would prevent them from being found guilty or liable for a crime or violation, even if the basic elements of the offence (for example, in this case, unauthorised access) are met.

The details will matter—the statutory defence must be carefully drafted so that it protects good-faith activity without being overly restrictive—but the direction of travel is clear. The UK is acknowledging that modern cyber defence depends on people who find and report flaws before attackers can exploit them.

How This Fits With Safe Harbors and HackerOne’s Advocacy

These national reforms are closely aligned with the evolution we have seen in industry and government over the last decade. Safe harbor commitments, such as HackerOne’s Gold Standard Safe Harbor, emerged because organizations needed a way to give researchers clear, predictable assurances: if you follow our rules of engagement and act in good faith, we will not pursue legal action against you. Those program-level promises help reduce risk for researchers and add structure to coordinated vulnerability disclosure programs and bug bounties.

But platform and program-level safe harbors can only go so far on their own. Without supportive national frameworks, researchers remain exposed to potential enforcement from parties who are not bound by individual program policies. When countries like Portugal and the UK move to embed researcher protections into statute, they strengthen and complement the safe harbors that platforms like HackerOne have championed.

If implemented well, the payoff could be significant: more vulnerabilities discovered earlier, faster remediation, fewer incidents, and a healthier relationship between governments, organizations, and the global community of security researchers.

At HackerOne, we see Portugal’s Article 7 and the UK’s planned statutory defence as important milestones on a longer journey to empower the world to build a safer digital ecosystem.

Learn how our Safe Harbor protects researchers acting in good faith

^{The content on this page is for informational purposes only and not for the purpose of providing legal advice. The applicability of any of the information provided will vary based on your or your organization’s circumstances.}