UK ISPs prohibit ethical security research activities

  • General
  • by Jacob Riggs
  • 26-08-2022
Your vote is:
4.91 of 105 votes

All major UK ISPs seem to stipulate contractual terms which specifically prohibit their customers from employing the use of their home broadband service for security testing activities, regardless of the lawful basis for those activities (such as when penetration testing and bug bounty engagements are authorised).

Below are the relevant extracts I pulled from those associated policies. If you're a UK customer of these services and engage in any bug bounty or penetration testing activities, it's likely you've already agreed to comply with these terms, and may therefore be at risk of having your home broadband service suspended for violating them.

Vodafone LogoSource: Vodafone Acceptable Usage Policy

2.  Your use of the Service


2.9   You must not use the internet to send information that has forged addresses or are deliberately constructed to adversely affect remote machines or other computer systems.

4.  Network security

4.1   You must not take any action that could inhibit or violate the network security of any person or company (including Vodafone) or that could adversely affect their use of the internet.

BT LogoSource: BT Acceptable Usage Policy

Security Violations

The BT Network may not be used to violate the security of a network, service or other system. Examples of security include hacking, cracking into, monitoring, or using systems without authorisation; scanning ports; conducting denial of service attacks; distributing viruses or other harmful software; smurf attacks; and unauthorised alteration or destruction of websites or other information.

Virgin Media LogoSource: Virgin Media Acceptable Usage Policy

5.   Your responsibilities - Virgin Media’s systems, services and equipment


5.2.   Specific prohibited acts in relation to Virgin Media’s systems, services and equipment are:


5.2.5.   attempting to circumvent user authentication or security of any host, network, or account (also known as “cracking” or “hacking”).

Sky LogoSource: Sky Acceptable Usage Policy

Do not violate anyone's systems or network security

You must not use Sky Broadband, or allow someone else to use Sky Broadband, to violate Sky’s networks’ security or any third party’s system or network security by any method including:


You must not send, receive, store, distribute, transmit, post, upload or download any materials that are designed to violate Sky Network’s security or any third party’s system or network security. Examples of such prohibited material may include (but are not limited to):


•  tools designed to compromise the security of other sites;

These terms make up the components of valid contracts, and as ISPs are in the business of making money, this raises a few questions. Do ISPs actually care what their customers do with their service? How enforcable are the relevant legal obligations in practice? Are ISPs actively monitoring customer traffic for attack characteristics? Do reports of abuse ever result in ISPs terminating services?

Such unanswered questions might incentivise security professionals to consider the wider use of commercial VPNs.


Jacob Riggs

Jacob Riggs is a senior cyber security professional based in the UK with over a decade of experience working to improve the cyber security of various private, public, and third sector organisations. His contributions focus on expanding encryption tools, promoting crypto-anarchist philosophy, and pioneering projects centred on leveraging cryptography to protect the privacy and political freedoms of others.

E3FE 4B44 56F5 69BE 76C1 E169 E3C7 0A52 9AEF DB6F

Subscribe to my Blog

I agree with the Privacy Policy terms.