I can personally attest to the fact that if your uninvited assessment of vulnerabilities reaches the level of gaining unauthorised access to computer systems - i.e. if you find something and check it works - you are technically in violation of the Computer Misuse Act 1990.
It's very easy to forget such laws exist because 99.99% of cybercrime goes unpunished - but that's for small victims, with hard-to-find attackers who are likely beyond the police's jurisdiction. If the 'victim' is an important government department, and you are within the police's jurisdiction, you could be one of the few people to actually face punishment - unjust though that may seem.
It's very easy to forget such laws exist because 99.99% of cybercrime goes unpunished - but that's for small victims, with hard-to-find attackers who are likely beyond the police's jurisdiction. If the 'victim' is an important government department, and you are within the police's jurisdiction, you could be one of the few people to actually face punishment - unjust though that may seem.