By Disclose.io in Policy Pulse — 01 Mar 2026

Policy Pulse - Issue #5 | Week of March 1, 2026

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research. This week: RUSI explores cyber deputisation and letters of marque, UK launches Cyber Essentials push, curl kills its bug bounty over AI slop, and the MITRE CVE contract enters its final two weeks.

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.

Top Story

RUSI Paper Explores "Cyber Deputisation": Should the UK Authorise Private-Sector Offensive Cyber Operations?

A new paper from the Royal United Services Institute (RUSI) asks a question that cuts to the heart of the hack-back debate: what would it look like if the UK government formally authorised private companies to conduct disruptive cyber operations against organised cybercrime?

"Deputising UK Counter-Cybercrime Operations," authored by Dr Gareth Mott of RUSI's Cyber and Tech research group, explores the concept of "cyber deputisation," where activity typically performed by law enforcement or intelligence agencies is instead delegated to private entities in a time-limited, narrowly scoped manner. The paper draws explicit parallels to 18th-century letters of marque issued to privateers, while examining whether such a model could responsibly enhance the UK's capacity to counter cybercrime at a time when public resources are stretched thin and threat volumes continue to rise.

The paper does not advocate for adoption. Instead, it maps the legal, operational, and oversight challenges that would need to be addressed before any deputisation model could be considered viable. These include the current constraints of the Computer Misuse Act 1990, which makes no distinction between offensive research conducted with state authorisation and criminal hacking; the question of how to scope and limit delegated operations; and the risks of escalation, collateral damage, or diplomatic friction.

This matters because the paper lands at a moment when the UK is simultaneously advancing the Cyber Security and Resilience Bill, scoping a statutory defence for the CMA to protect legitimate security researchers, and grappling with the operational capacity gap that the paper identifies. While the deputisation concept sits at a more aggressive end of the spectrum than vulnerability disclosure, the underlying legal and policy infrastructure is shared: if the UK cannot clearly distinguish good-faith security research from criminal hacking, authorising private offensive operations becomes even more fraught.

Why it matters for VDP: The paper highlights a tension that VDP operators know well: the legal frameworks governing computer access were written for a simpler era. Any serious discussion of cyber deputisation will require the same CMA reforms that the security research community has been advocating for. Clarifying the legal status of authorised security testing is a prerequisite, not a consequence, of more ambitious cyber statecraft.

Upcoming Deadlines & Events

Mar 5: CISA ED 26-03 detailed reporting deadline (Cisco SD-WAN inventory and actions taken)
Mar 9: CIRCIA town hall: Chemical, Water, Dams, Energy, Nuclear sectors (Register)
Mar 12: CIRCIA town hall: Commercial Facilities, Critical Manufacturing, Food & Agriculture; CISA ED 26-03 hardening report due
Mar 16: MITRE CVE contract expiration (no renewal announced)
Mar 17: CIRCIA town hall: Emergency Services, Government, Healthcare
Mar 18: CIRCIA town hall: Communications, Transportation, Financial Services
Mar 19: CIRCIA town hall: Defense Industrial Base, Information Technology
Mar 31: CIRCIA general town hall session 1
Apr 2: CIRCIA general town hall session 2
May 1: DEF CON 34 Policy Track CFP deadline (Submit here)
Aug 6-9: DEF CON 34 at LVCC, Las Vegas
Sep 11: EU Cyber Resilience Act mandatory vulnerability reporting begins
Dec 31: UN Cybercrime Treaty signature period closes

This Week in Policy

UK Policy Focus

RUSI Explores "Cyber Deputisation" Against Organised Crime: A new Insights Paper from RUSI's Cyber and Tech research group examines whether the UK should delegate disruptive cyber operations to private-sector entities under state authorisation. Author Dr Gareth Mott maps the legal, operational, and oversight hurdles, noting that current CMA constraints make any such model legally precarious without reform. (RUSI)
UK Government Launches Cyber Essentials Campaign for SMEs: On February 17, NCSC CEO Richard Horne fronted a government push to drive Cyber Essentials adoption among small and medium businesses. The campaign cites stark numbers: 50% of small businesses and 82% of medium and large businesses suffered a cyber breach or attack in the past 12 months. Organisations with Cyber Essentials certification filed 92% fewer cyber insurance claims. (GOV.UK)
Cyber Security and Resilience Bill Advancing Through Commons: The Cyber Security and Resilience (Network and Information Systems) Bill, introduced on November 12, 2025, received its Second Reading on January 6 and is progressing through committee. The bill updates the UK's NIS Regulations for critical national infrastructure but does not include researcher safe harbour provisions. CMA reform remains a separate track: Security Minister Dan Jarvis has confirmed the government is pursuing a statutory defence, with Lord Clement-Jones tabling amendments to the Crime and Policing Bill. (Parliament)

AI & Researcher Data Governance

HackerOne Clarifies AI Training Stance After Researcher Backlash: On February 18, HackerOne CEO Kara Sprague issued a public statement after researchers raised concerns that vulnerability reports might be used as training data for AI models following the launch of Agentic PTaaS. Sprague confirmed that HackerOne "does not train generative AI models, internally or through third-party providers, on researcher submissions or customer confidential data," and announced forthcoming T&C updates to formalise these assurances. Bugcrowd and Intigriti subsequently reaffirmed similar policies. (The Register)
Curl Ends Bug Bounty Program Over AI Slop: On January 26, curl founder Daniel Stenberg announced the project would stop accepting HackerOne submissions as of January 31, moving security reporting to GitHub. The catalyst: the ratio of legitimate to junk reports plummeted from 1-in-6 in early 2025 to 1-in-20 or worse by late 2025, with AI-generated submissions flooding the queue. Stenberg noted that bounties of up to $9,200 for critical vulnerabilities incentivised reporters to "ask AI to find a security problem, paste whatever they got, mark it critical, and hope." The case illustrates a growing tension between incentive-based disclosure and AI-generated noise. (Daniel Stenberg) (Bugcrowd analysis)

CVE & Vulnerability Programs

MITRE CVE Contract at T-14 Days: The March 16 expiration date is now two weeks away with no public renewal announcement. The CVE Foundation continues developing nonprofit governance. With FIRST projecting approximately 59,000 CVEs for 2026, any lapse in coordination would be acutely felt across the vulnerability management ecosystem. VDP operators should have contingency plans for vulnerability tracking if disruption occurs.

Throwback: We've tracked this story since Issue #3 (T-30) and Issue #4 (T-16).

International Developments

UN Cybercrime Treaty: 74 Signatories, Zero Ratifications: The treaty, adopted by the UN General Assembly in December 2024 and opened for signature in October 2025, has accumulated 74 signatories but not a single ratification (40 required to enter force). Concerns about vague definitions that could criminalise good-faith security research persist. The signature window runs through December 31, 2026. (UNODC)

Worth Reading

RUSI: Deputising UK Counter-Cybercrime Operations: The full Insights Paper exploring cyber deputisation, letters of marque, and the legal infrastructure needed before the UK could consider private offensive cyber operations.
Burges Salmon: RUSI Paper Calls for a More Interventionist UK Cyber Strategy: Legal analysis of RUSI's recommendations, including the call for software liability legislation and stronger regulatory enforcement.
CyberUp Campaign: Looking Back on a Breakthrough Year: The campaign behind the CMA statutory defence push reviews 2025's wins and the road ahead for researcher protections in the UK.
Bugcrowd: How Lazy Hacking Killed Curl's Bug Bounty: A hacker's perspective on AI slop reports, incentive misalignment, and what the curl closure means for vulnerability disclosure programs.

Friends of disclose.io

DEF CON 34 Policy Track: Call for Papers Now Open

The DEF CON 34 Policy Track is accepting submissions through May 1, 2026. The conference runs August 6-9 at the Las Vegas Convention Center and the policy track offers 25-minute, 50-minute, and 80-minute slots across talk, interview, panel, and interactive session formats.

The policy track has consistently been one of the best venues for bridging the gap between the security research community and policymakers. If you're working on VDP policy, researcher protections, AI governance, or any of the issues covered in Policy Pulse, this is the place to bring that work to the community.

Submit via OpenConf at defcon.net. Final abstracts and bios are due June 15 for accepted speakers.

Policy Pulse is a weekly bulletin from disclose.io. Keeping the security research community informed on policy that affects our work.

Have a tip or want to contribute? Reply to this email, reach out on Twitter/X, or drop a comment here!