Can CSIRTs Lawfully Scan for Vulnerabilities?

This paper looks at the UK’s Computer Misuse Act 1990 and how it might apply to the practice of vulnerability scanning. Where a scan has been authorised – either specifically or via a network security policy – there should be no problem. But there are some situations where we’d like to scan hosts for which neither of those options is possible. This turns out to be a legal grey area, depending on how much implicit authorisation is granted by the act of connecting a computer to the Internet. Using the only two reported cases, I tried to work out which kinds of scan a future court might accept as lawful, and which they would probably not. Note that this is not legal advice!

The paper can be found in ScriptEd, at

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *