"Cyberup is calling for the Computer Misuse Act to be amended and include a statutory defence"
Considering both the prevalence of security vulnerabilities and the common laxity of vendors in addressing them, IMHO a statutory defence is insufficient. There should be a statutory exemption - obviously subject to strict controls to ensure research and disclosure are legitimate and responsible. For example, once a vulnerability is suspected, authorisation might be sought in confidence from NCSC before proceeding with verification, and disclosure could be managed by NCSC.
Biting the hand that feeds IT
