I can personally attest to the fact that if your uninvited assessment of vulnerabilities reaches the level of gaining unauthorised access to computer systems - i.e. if you find something and check it works - you are technically in violation of the Computer Misuse Act 1990.
It's very easy to forget such laws exist because 99.99% of cybercrime goes unpunished - but that's for small victims, with hard-to-find attackers who are likely beyond the police's jurisdiction. If the 'victim' is an important government department, and you are within the police's jurisdiction, you could be one of the few people to actually face punishment - unjust though that may seem.
That's pretty cool. There are these pockets of really great public service internet services.
Am I interpreting correctly that you can join HackerOne to do work on UK public service projects? I tried to get something like that done for a municipality and a province, where it was going to be a way to engage college students on doing vulnerability hunting on public infrastructure, but also use it as a recruiting pipeline to get people interested in public service.
It's very easy to forget such laws exist because 99.99% of cybercrime goes unpunished - but that's for small victims, with hard-to-find attackers who are likely beyond the police's jurisdiction. If the 'victim' is an important government department, and you are within the police's jurisdiction, you could be one of the few people to actually face punishment - unjust though that may seem.