‘Drop the charges’ – Malta Chamber of Scientists sticks up for ethical hackers who exposed FreeHour security flaw

The Malta Chamber of Scientists (MSC) is calling for the charges to be dropped in an ongoing ethical hacking case, where four students exposed a security flaw in the FreeHour app – an app which lets students share their timetable with their friends, and get student discounts.

The MCS said that “ethical hacking plays a critical role in cybersecurity by identifying vulnerabilities in software, applications, and online services before they can be exploited by malicious actors.”

They went on to say that “Michael Debono, Giorgio Grigolo, Luke Bjorn Scerri, Luke Collins, and their lecturer Dr Mark Joseph Vella, exposed security flaws in the FreeHour app, thereby safeguarding the personal data of all students who use the platform.

“By alerting FreeHour, rather than exploiting the vulnerabilities found or making these flaws public, it is clear that these students and lecturer were acting in good faith, and their actions have likely prevented the misuse of sensitive data.”

The MSC closed off its statement by saying that for these reasons, it believes that the charges brought against the students and their lecturer should be dropped.

The situation

In October 2022, the students were scanning through the software of the FreeHour app when they found a vulnerability they say could be exploited by malicious hackers.

This vulnerability meant that the user’s data could be leaked.

In the e-mail, the students mentioned that they may be able to claim a bug bounty for their efforts – bug bounties are prizes that companies offer when people notify them of mistakes or bugs in their software.

After sending the e-mail to FreeHour, Mr Scerri, Mr Grigolo and Mr Debono were arrested from their homes and taken into custody where they were strip-searched and questioned. Mr Collins was questioned when he returned to Malta from England, where he was studying for his PhD.

The charges

The charges were leaked on 30th August by Mark Camilleri.

That same day, Michael Debono reposted on his social media the original email that was sent to FreeHour, in the hopes that people will stop saying that the students requested money. “I’m genuinely exhausted from this whole situation”, he said, and added that the incident “should have been resolved over a table in a day with FreeHour and the police.”

FreeHour’s side

FreeHour has argued that it was legally obliged to report the incident to the Cyber Crime Unit within the Malta Police Force and the Information and Data Protection Commissioner.

The app went on to say that it has shifted its focus on “addressing the vulnerabilities that the students exposed with our third-party software development company with immediate effect.”

The laws of white hat hacking in Malta

In April of last year, BusinessNow.mt reached out to a qualified information security specialist who lamented Malta’s lack of safe harbour provisions – laws which protect ethical hackers and cater for the finding and reporting of cyber vulnerabilities.

However, things seem to be changing, as in an interview on One Radio held on Sunday (yesterday), Prime Minister Robert Abela said that on Tuesday (tomorrow), the Cabinet will discuss a policy drafted by the Malta Digital and Innovation Authority (MDIA) aimed at protecting ethical hackers.