Bug bounty hunting pays real money for finding real vulnerabilities, and in the UK right now, the timing has never been better. The UK government kicked off formal changes to the Computer Misuse Act 1990 in December 2025, moving the country toward explicit legal protections for ethical hackers. But the law is still catching up, which means if you start today without understanding the legal framework, you are operating in a grey area that has ended careers and triggered prosecutions.
This guide gives you a 90-day roadmap to go from zero to your first paid bug bounty, built specifically for UK residents. You will understand exactly what the CMA permits, which platforms host UK-accessible programmes, and how to build the technical skills that actually get vulnerabilities found and reports accepted.
What the Computer Misuse Act Actually Means for Bug Bounty Hunters
Every US-focused guide skips this section entirely. They operate under a different legal framework, with the DOJ’s 2022 commitment not to prosecute good-faith security researchers and a Supreme Court ruling that clarified legitimate security research activities. The UK has neither of those protections yet.
The Computer Misuse Act 1990 makes it a criminal offence to access a computer or data without authorisation. Section 1 covers unauthorised access; Section 3 covers unauthorised acts that impair computer systems. Both carry custodial sentences. The critical word is “authorisation” because a bug bounty programme’s scope document is your authorisation. If you test within scope, with an active programme, on a system the programme owner controls, you are operating with implied authorisation.
The problem is “implied.” Courts have not definitively tested this interpretation. In December 2025, the UK government formally announced it was reviewing the CMA to create explicit statutory protections for legitimate security researchers. The Register reported that this had finally kicked off after years of industry pressure, with Bugcrowd’s founder Casey Ellis and the Hacker Policy Coalition both calling for a clear good-faith defence similar to what the US introduced. Computer Weekly noted that ethical hackers “can be heroes” but the law needed to catch up.
Until that reform passes, your practical protection comes from three things: explicit written scope from the programme, staying strictly within that scope, and responsible disclosure rather than public posting before the organisation has patched. Never test systems outside the defined scope. That is not a grey area; that is unauthorised access under Section 1.
The NCSC (National Cyber Security Centre) publishes its own Vulnerability Disclosure Policy on HackerOne at hackerone.com/ncsc_uk, which signals that government bodies understand the value of responsible disclosure. NCSC guidance also tells organisations to have a coordinated vulnerability disclosure process, which makes programmes more legitimate when you report to them.
Month 1: Technical Foundation Before You Touch Any Live Target
The single biggest mistake beginners make is jumping onto bug bounty platforms before they can reliably find anything. You waste time, get demoralised by invalid reports, and potentially stumble outside scope boundaries. Month 1 is purely skill-building on environments that exist specifically to be tested.
Start with OWASP WebGoat and DVWA (Damn Vulnerable Web Application), both of which run locally and cover the OWASP Top 10 vulnerabilities in a legal, intentionally broken environment. Get comfortable with SQL injection, cross-site scripting (XSS), broken authentication, and insecure direct object references (IDOR). These four vulnerability classes account for the majority of accepted bug bounty reports on public programmes.
Alongside hands-on practice, set up a proper learning environment. Run Burp Suite Community Edition (the professional edition costs around £350 per year, but the community version is sufficient to start). Learn to intercept HTTP traffic, modify requests, and read server responses. This is the single tool that separates methodical bug hunters from people randomly clicking around websites hoping something breaks.
TryHackMe and HackTheBox offer structured learning paths with legal targets. TryHackMe’s Web Fundamentals and OWASP Top 10 paths take roughly 40 hours to complete and are worth every minute. HackTheBox Machines give you practice on more complex systems once you have the basics. Neither platform gives you the experience of finding a real-world bug, but both give you the vocabulary and methodology to know what you are looking for when you do start on real programmes.
Build a simple note-taking system from day one. When you find something on a practice target, write a draft report. Programme owners reject a significant percentage of valid reports because the researcher cannot communicate the vulnerability clearly. Practice the structure: vulnerability class, affected endpoint, steps to reproduce, proof of concept, potential business impact, suggested remediation. Writing 20 practice reports on legal targets means your first real report is not also your first attempt at technical writing.
This kind of systematic, security-minded approach applies beyond bug hunting. If you are thinking about how to build this knowledge for a professional career, the frameworks used in zero trust security architecture give you a mental model for how organisations think about access control and trust boundaries, which directly informs where you look for vulnerabilities.
Month 2: Choosing Your First Programme and Filing Your First Report
At week five, you are ready to choose a real programme. The key is picking correctly.
Both HackerOne and Bugcrowd host programmes accessible to UK researchers. HackerOne has a substantial UK presence and hosts the NCSC’s own vulnerability disclosure policy. Bugcrowd has a global network of over 500,000 ethical hackers and lists hundreds of public programmes. A third platform worth knowing is Intigriti, a European bug bounty platform founded in Belgium with a significant UK researcher base and programmes from European companies that US-centric guides never mention.
For your first real programme, filter for these characteristics: public (not invitation-only), broad web application scope, high submission volume (which means other researchers are finding bugs, so the programme is functional), and a clear written scope document. Avoid programmes that are invitation-only, have very narrow scope, or have not paid out a disclosed bounty in the past six months. An inactive programme is not worth your time, and a programme with no public payout history may not pay at all.
Start with low-severity targets. A P4 or P5 report (informational or low severity) that gets accepted is worth more to your development than a speculative P1 (critical) report that gets marked invalid. Every accepted report builds your reputation on the platform, and on HackerOne specifically, your reputation score affects which private programmes invite you.
The recon phase is where UK researchers need to think carefully about scope. Recon means identifying all assets the programme has authorised for testing: subdomains, API endpoints, mobile apps, and infrastructure. Passive recon using tools like Shodan, Amass, or certificate transparency logs is legal because you are reading public information, not accessing systems. Active recon such as port scanning or sending authentication requests crosses into interaction with systems, so it must only happen after you have confirmed the asset is within scope.
When you find what looks like a vulnerability, document everything before reporting. Screenshot the request and response in Burp Suite. Record a short screen capture if the bug requires multiple steps to reproduce. The cleaner and more reproducible your report, the faster it gets triaged, and the faster you get paid.
Understanding how organisations think about security incidents helps you frame your reports from their perspective. Reading how UK organisations approach incident response planning gives you insight into why certain vulnerabilities are treated as critical versus informational, and how a CISO at a UK enterprise will read your report.
Month 3: Building a Specialisation and Scaling Income
By week nine, you have at least one accepted report. The difference between someone who earns a few hundred pounds a year and someone making a full-time income from bug bounties is specialisation. Generalists find generic bugs. Specialists find the bugs that generic scanners miss.
Choose one of three paths based on what you enjoyed most in months one and two.
The API security path targets the growing number of programmes that expose REST or GraphQL APIs. API vulnerabilities account for an increasing share of accepted reports because APIs are often poorly documented, tested under time pressure, and receive less security scrutiny than web frontends. Tools like Postman, Burp Suite’s repeater, and purpose-built API testing tools like Arjun for parameter discovery are your core kit.
The mobile application path requires an Android or iOS device (or an emulator), tools like MobSF for static analysis, and Frida for dynamic instrumentation. Mobile bugs frequently sit in local storage handling, insecure deep links, or server-side API endpoints that the mobile app exposes. Competition is lower than on web targets because fewer hunters have the setup.
The business logic path requires no special tooling, only a deep understanding of how applications are supposed to work and methodical testing of every boundary condition. Price manipulation bugs, account takeover via password reset flows, and privilege escalation through role confusion are all business logic vulnerabilities. They pay well because automated scanners cannot find them.
On earnings: HackerOne’s annual reports show median hourly rates for the top 200 earners running well above £70 per hour equivalent. P3 reports (medium severity, roughly CVSS 4.0 to 6.9) typically pay between $200 and $1,000 USD on mature programmes. At current exchange rates that is £160 to £790. Finding two or three per month part-time while employed is a realistic income supplement within 90 days of starting.
Tax treatment in the UK: HMRC treats bug bounty income as self-employment income. If your total gross earnings exceed £1,000 in a tax year, you must register for self-assessment. Keep records of every payout, including the platform, programme name, report ID, date, and GBP equivalent at the time of payment.
Platforms like HackerOne and Bugcrowd pay via PayPal, bank transfer, or cheque in USD or GBP depending on the programme. Intigriti, as a European platform, makes GBP and EUR payments more accessible. Factor in currency conversion costs when comparing programme payouts.
The Four Rules That Keep You on the Right Side of UK Law
Until the Computer Misuse Act reform passes through Parliament, these are non-negotiable.
First: only test systems explicitly listed in a programme’s scope. If a domain is not in scope, it does not matter how serious the vulnerability looks. Submitting it as an out-of-scope finding to the programme is reasonable; testing it without authorisation is not.
Second: never exfiltrate, modify, or delete data. Your goal is to demonstrate that a vulnerability exists, not to exploit it. Taking a screenshot of a user record to demonstrate an IDOR is reasonable. Downloading a database to prove SQL injection is not.
Third: report before you publish anywhere. The coordinated disclosure window on most programmes is 90 days from report submission. Publishing a vulnerability before the organisation has patched it, regardless of how long they have had the report, creates legal exposure and destroys the relationship.
Fourth: keep records. Every test you run should be logged: date, time, target URL, what you tested, and what you found. If a programme owner misunderstands your activity or makes an allegation, those records are your evidence of good faith.
The AI security space is increasingly relevant for bug hunters. Understanding how AI systems introduce new attack surfaces is worth studying, because programmes protecting AI infrastructure are appearing on all major platforms and the vulnerability classes are still being mapped.
Tools You Need vs. Tools You Will Never Use
The tools list in most bug bounty guides is padded with software the author has never touched. Here is what actually gets used.
You need: Burp Suite (intercept proxy), ffuf or gobuster (directory and parameter fuzzing), nuclei (template-based vulnerability scanning), amass or subfinder (subdomain enumeration), and a note-taking application with screenshot support. Obsidian with a bug bounty template works well. Everything else is optional.
You do not need Metasploit for bug bounties. Metasploit is exploitation tooling for penetration testing engagements where you have a full statement of work and written permission. Using Metasploit modules against bug bounty targets almost always results in report rejection and potential programme bans. Bug bounties reward finding and reporting, not exploiting.
You also do not need a dedicated Kali Linux machine to start. Running Burp Suite and browser extensions on any OS with a dedicated browser profile for testing is enough for your first three months. Specialised tools come later when your methodology is established and you know what you are actually looking for.
UK Bug Bounty Programmes Worth Targeting in 2026
Public programme lists change frequently, but as of early 2026 the following categories have active UK-accessible programmes worth targeting as a beginner.
Financial services: several UK-regulated banks and fintech companies run public programmes on HackerOne and Bugcrowd. Scope is usually limited to specific web applications rather than core banking infrastructure, and payouts on accepted reports trend higher than average because of regulatory pressure to find vulnerabilities before auditors do.
Government and public sector: the NCSC’s programme on HackerOne at hackerone.com/ncsc_uk covers its own web properties. While payouts are typically lower than private sector programmes, an accepted report against NCSC carries significant credibility for your portfolio.
European technology companies: Intigriti hosts programmes from companies across the EU and UK that rarely appear in US-focused guides. Search the Intigriti public programme list for UK-based organisations, which includes media companies, retail, and SaaS businesses.
Global platforms with UK presence: HackerOne and Bugcrowd both list hundreds of programmes open to UK researchers. Sort by newest programmes for lower competition, or by highest paid to find where the money actually flows.
Frequently Asked Questions
Is bug bounty hunting legal in the UK right now?
Testing within the explicit scope of an active bug bounty programme is considered authorised access under the Computer Misuse Act 1990. The authorisation comes from the programme’s scope document. Testing systems outside that scope, or systems with no programme at all, is not authorised and constitutes a criminal offence. Formal statutory protections for ethical hackers were under parliamentary review as of December 2025, but no legislation had passed as of early 2026.
How much can you realistically earn from bug bounties in the UK?
In your first three months, expect to earn nothing to a few hundred pounds. Most researchers spend the first 60 to 90 days building skills and filing invalid or duplicate reports before getting anything accepted. After six months with a clear specialisation, part-time earnings of £500 to £1,500 per month are achievable for people with strong web application knowledge. Full-time income at the £30,000 to £70,000 annual equivalent requires two to three years of experience and a strong reputation on at least one platform.
Which bug bounty platform is best for UK beginners?
HackerOne has the largest number of public programmes and the most robust reputation system, making it the best starting point. Intigriti is worth joining alongside it because it specifically serves the European market and hosts UK-company programmes that do not appear on US platforms. Bugcrowd is the third major option and has a strong track record with government and enterprise programmes.
Do you need certifications to start bug bounty hunting?
No certification is required to join any public bug bounty programme. However, the OSCP (Offensive Security Certified Professional), eWPT (eLearnSecurity Web Penetration Tester), and CEH (Certified Ethical Hacker) are all recognised in UK cybersecurity hiring. If your goal is to move from bug hunting into a professional penetration testing role, certifications help. For pure bug bounty income, your submitted reports and reputation score matter far more than any certificate.
What is the difference between a bug bounty programme and a VDP?
A Vulnerability Disclosure Programme (VDP) accepts reports but does not pay monetary rewards. A bug bounty programme pays researchers based on the severity and impact of their findings. Both operate under written scope documents and both provide legal cover for testing within scope. VDPs are good for building a portfolio when you are starting out, because they have less competition and acceptance rates are typically higher.
Can I do bug bounty hunting alongside a full-time job without legal risk?
Yes, provided your employment contract does not include a clause that assigns intellectual property or work product to your employer. Some UK technology and security companies include broad IP assignment clauses; read yours carefully. If your employment is in an unrelated field, there is no conflict. In either case, bug bounty income must be declared to HMRC as self-employment income if it exceeds the £1,000 trading allowance in a tax year.