A university lecturer who is facing court charges along with three of his students in a 'white hat’ hacking case has been backed by the University of Malta Academic Staff Association (UMASA).
Mark Joseph Vella and his students Michael Debono, Giorgio Grigolo and Luke Bjorn Scerri are due to be arraigned in March, accused of gaining unauthorised access to a computer’s data, software or supporting documentation and using, copying or modifying the data, software or document.
The charges were filed after the students found and exposed security flaws in Malta's largest student application, FreeHour, two years ago. The students had e-mailed FreeHour to alert it of the security flaw and requested a reward - or ‘bug bounty’- a common practice in ethical or ‘white hat’ hacking. But they were arrested instead and had their computer equipment seized.
The association said Vella has stated that he provided his students with the ethical framework that should be applied when discovering vulnerabilities through ethical or ‘white hat’ hacking, "thereby fulfilling his duties and responsibilities as a lecturer, and acting within the bounds of established ethical practices."
The association said that international guidelines specifically stated that before any such flaw was made public, it must be fixed - as was done in this case.
"The students resorted to a common practice when they asked for a non-monetary award for discovering these vulnerabilities. We believe that Dr Vella acted with academic integrity and in accordance with procedure," UMASA said, as it expressed solidarity and support.
Council backs students, calls for legislative reform
The University Students' Council in a separate statement later expressed solidarity with the students, insisting that their actions were aimed to protect the data of thousands of students from potential exploitation.
The council said it had been informed that the court proceedings were being pursued by the police on an ex officio basis and not at the request of FreeHour.
The council reiterated a commitment to cover any legal expenses the students may face.
“The situation demonstrates a clear gap in Malta’s current legislative framework surrounding ethical hacking and cybersecurity, one which necessitates urgent legislative reform,” KSU said. “Legislative changes are necessary to clearly define and protect ethical hacking activities, ensuring that individuals who responsibly disclose security vulnerabilities receive legal protection and support, rather than facing negative repercussions.”