HackerOne Responds To The Review of The UK’s Computer Misuse Act (CMA)
By Ilona Cohen, Chief Policy Officer, and Michael Woolslayer, Policy Counsel
The U.K. is in the midst of a multi-year review of its primary anti-hacking statute, the Computer Misuse Act (CMA). The CMA was originally enacted in 1990 and it has been updated several times to reflect continued changes in technology and cybersecurity. The current review of the CMA is wide-ranging and includes consultation on the impact of the CMA on good faith security research. HackerOne prioritizes the protection of hackers engaged in good faith security research and seeks clarity for organizations that work with the hacking community. We have continuously engaged with policymakers on these topics in meetings and in correspondence with officials. Earlier this month, HackerOne submitted official comments to the U.K.’s Cyber Policy Unit recommending that any CMA revisions be in line with global best practices that promote and encourage responsible vulnerability research and disclosure.
HackerOne’s letter asks that the revision of the CMA makes clear and unquestionable that the operation of a Vulnerability Disclosure Program (VDP), and the act of finding and reporting a vulnerability through that VDP, is an officially sanctioned and even encouraged practice.
In particular, the letter emphasizes that the revised CMA should clarify that independent security research undertaken in good faith for the purpose of finding and having security vulnerabilities fixed is not subject to criminal sanction under the CMA. HackerOne further advocated that any statutory defense in the revised CMA does not rely on certifications, education, and/or formal training requirements, as that could unfairly disadvantage the self-educated and self-employed component of the hacking community.
The revision to the CMA is the latest in a series of moves by international governments to protect and encourage good faith security research. Earlier this year, the Belgian government announced that Belgian security researchers may hack any Belgian company without prior permission as long as they adhered to the government's vulnerability disclosure guidelines, though the policy has some shortcomings. Last year, the U.S. Department of Justice announced updates to its charging policy under the Computer Fraud and Abuse Act (the U.S. equivalent of the CMA) that increases protections for good faith security research, sparking the creation of HackerOne’s Gold Standard Safe Harbor. Find out more about how you can benefit from adopting HackerOne’s Gold Standard Safe Harbor.
HackerOne continues to support the hacking community and our customers’ collaboration to build a safer internet, in part by pushing for legislative change that recognizes coordinated vulnerability disclosure and bug bounty as a best practice for increasing resistance to cyberattacks. Just last week, we furthered our advocacy for policies encouraging vulnerability detection, management, and disclosure best practices and improved protections for good faith security research further by forming the Hacking Policy Council along with other industry leaders.
The full text of HackerOne’s letter to the CMA is available here.