Question to the Ministry of Defence:

To ask the Secretary of State for Defence, what criteria his Department uses to determine good faith security research, as outlined in his Department’s Vulnerability Disclosure Policy.

A Vulnerability Disclosure Policy (VDP) is a 'see something, say something' process to allow security researchers to report a vulnerability in MOD systems (found through e.g. ethical hacking). MOD launched its VDP in December 2020.

Practically, 'to act in good faith' means working to find vulnerabilities in IT systems without causing damage to them, disrupting their operation, or exfiltrating data in an unauthorised manner. There are no set criteria for acting in good faith because the situations are context dependent. However, it does not give researchers permission to act in any manner that is inconsistent with the law, or which might cause the MOD or partner organisations to be in breach of any legal obligations.