Student application FreeHour said it is “exploring ways to help” four students who exposed a security flaw in its system.
"After hearing the students’ perspective over the past few days and understanding their intentions, it has become clear that there was no malicious intent,” the company said in a statement posted to Instagram on Saturday.
“FreeHour is now exploring ways... to help the four students, including reaching out to the relevant authorities."
The students’ intentions “need to be recognised and taken into consideration,” the company wrote, and said it is committed to lobbying for a change in national policy regarding the disclosing of software vulnerabilities.
Malta’s legislation on cybercrime may need to be looked at and possibly updated, the company said.
On Wednesday, Times of Malta reported that four computer science students were being investigated by police after they found and highlighted a security weakness in Malta’s largest student application.
In October, Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins emailed FreeHour to inform the company of the security flaw and request a reward – or ‘bug bounty’ – a common practice in ethical or ‘white hat’ hacking.
Instead, they were arrested, strip-searched and had their computer equipment confiscated. Despite being told their possessions would be returned to them within a week, they are still waiting for them.
Since the issue hit the headlines, fellow students have taken to social media to vent their anger at the company for the way the four have been treated.
“FreeHour? More like FreeData,” one user said.
Saturday’s Instagram post follows a video posted to the social media platform earlier this week showing FreeHour CEO Zach Ciappara defending the company’s decision to report the students to the police.
“Our intent, and this is very genuine, our intent was to report this to cover us legally,” Ciappara had said on Wednesday.
In Saturday’s post, however, the company said they had interpreted the request for a reward in the student’s original email as a possible threat.
“Given the information at hand, this had us questioning whether or not FreeHour was being threatened, therefore we consulted legally to get guidance on how the matter should be handled,” the company said.
FreeHour stressed it has no say on the outcome of the police investigation, but said it hoped its statement would have a “significant impact on the outcome” of the case.
In comments responding to the post, some users questioned why this had not been the company's initial response while others dismissed FreeHour’s statement as “too late”.
One user defended the organisation, saying “the laws aren’t outdated, they literally hacked the free hour (sic) system without consent... I don’t get why anyone is defending them".