Poking sticks into holes

The government's Coordinated Vulnerability Disclosure Policy (CVDP) proposal aims to create a legal framework for ethical hackers. This comes after a controversial case involving four students who exposed a vulnerability in a popular app, raising questions about the fine line between cybersecurity and criminal prosecution. Vanessa Macdonald delves into what led up to this.

The news that the police were looking into four computer science students after they found and reported a significant security vulnerability in the well-known student app FreeHour shocked the local cybersecurity community more than a year ago.

The students – Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri, and Luke Collins – notified the app owner and asked for a 'bug bounty' for their efforts. However, instead of being rewarded for their 'responsible disclosure', as they expected, the situation was perceived as a threat, leading to the students being arrested and strip-searched, and the police seized their computer equipment.

Things escalated recently. Just when the students – and others involved – thought that the matter would be left to die a silent death, it was announced that three of the students and their lecturer, Mark Joseph Vella, would be charged in court in March 2025.

The University of Malta Academic Staff Association were shocked by the news that the lecturer would be arraigned. After all, it argued, the lecturer had already said that he provided his students with "the ethical framework" to be applied.

In the meantime, the University Students Council, which is committed to covering the students' legal expenses, leapt to their defence, insisting that their actions protected thousands of students from potential exploitation of their data.

Forum Unions Maltin (ForUM) also took a stand. It expressed concern at the whole situation, saying it posed a "serious threat" to the educational process "essential for training students to use their computer-related skills and knowledge for the benefit of the community and organisations they serve." The union pointed out that students should be adequately trained as future cybersecurity experts rather than subjected to criminal prosecution.

"Ethical hackers are the unsung heroes of our digital age."

Even the company at the heart of this issue, FreeHour, chimed in, saying it wanted a more "positive ending" for the students but without saying what it had in mind.

A media report did say that FreeHour was not advancing the court proceedings but that the police were pursuing them.

So what on earth happened, and could it or should it have been avoided? Is this all a storm in a teacup, or are real issues at stake? The incident highlights the complex legal and ethical landscape surrounding cybersecurity in the EU, where rapid IT developments and increased digital threats are causing concern.

The flurry of comments when the forthcoming legal action was announced did not go unnoticed by the government, which has since issued a consultation paper on introducing a Coordinated Vulnerability Disclosure Policy (CVDP) framework, which was due to close on October 7.

The starting point for any discussion about why ethical hacking is needed. This is clearly outlined in the first part of the consultation paper: "ICT systems are susceptible to vulnerabilities, just like anything else in the world. These vulnerabilities may leave ICT systems prone to incidents that affect their security."

The issue boils down to whether a company invites ethical or 'white hat' hackers to check its IT systems or whether the hackers opt to check them unasked.

Of course, this is a very simplistic way of looking at it. The consultation paper aims to create a detailed and defined framework that would protect all those involved. Ostensibly, it would minimise the risk of exploitation by malicious hackers by promoting ethical reporting, but it would also open the door for rewards—not only a kinder term than bug bounty but also one outlined in the consultation paper.

The consultation paper was issued by the Malta Digital Innovation Authority and CSIRTMalta. According to EU law, a computer security incident response team (CSIRT) is someone who acts as a trusted intermediary. CSIRTMalta would keep a register of the policies established by the companies involved and of all the Security Researchers (in other words, the ethical hackers) who would follow the National CVDP policy.

This is not taking place in a vacuum: Malta, like other EU Member States, is affected by the updated Network and Information Security Directive (NIS2), set to take effect by mid-October 2024. NIS2 aims to strengthen security requirements, address supply chain security, and introduce more stringent supervisory measures and harmonised sanctions across the EU.

Moreover, GDPR (General Data Protection Regulation), which has been in force since 2018, continues to enforce strict rules on data protection and the handling of personal data, placing additional responsibilities on app developers and service providers to ensure the security of their systems. Failing to secure personal data could result in substantial fines and legal consequences under GDPR, emphasising the importance of addressing vulnerabilities promptly and ethically.

This is great news—at least for companies committed to best practices. It should help prevent cyber-attacks and encourage more activity in the cybersecurity sector. Action is not just being taken on the legal side: entities like the Malta Digital Innovation Authority and government IT agency MITA have also promoted various successful initiatives to encourage awareness, such as the Mind the Gap programme and the Digital Shield.

The legal framework would apply when access is initiated by an invitation from the software owner and covered by an agreement. For example, multinational companies like Dedaub, founded by local guru Neville Grech, already use this approach.

Checking an app or software for potential 'holes' is beneficial for well-meaning owners, preventing them from being exploited maliciously. Indeed, some companies deliberately provide public code precisely so that it can be checked for vulnerabilities.

There are also platforms like the Security Alliance (SEAL), launched in February 2024 by blockchain innovators. Its emergency hotline has already disclosed numerous vulnerabilities.

So what happens when the access to an IT system is unauthorised? At present, the unauthorised access still falls foul of the Criminal Code, with potential penalties of up to four years in prison and fines of up to €23,293.

While the proposed policy would be promising for the future of cybersecurity, the case of the four students remains a cautionary tale. One of the students who spoke to MONEY before the legal action was announced reflected on the impact of the controversy.

On the downside, the winner of the annual national cybersecurity competition was one of the original four students and was told that he would not be able to represent Malta at the European level due to the official still-open investigations.

On the positive side, the publicity after the police investigation has propelled the students to relative fame, meaning they have no shortage of work – as long as it is on the right side of the law!

He was also philosophical about how the four had handled the situation in 2023, saying they had "offered" the app owner three months to fix the vulnerability. However, he appreciates that things did not work out as they had thought.

"I think I would have done things differently and reached out to the app owner in person," the student told MONEY.

"But having the protection of the law – what is known as a 'safe harbour' – would boost cybersecurity, especially if researchers were affiliated with an educational institution. Alas, I still think that the concept of unauthorised access being a crime is simply out of touch with today's reality," he said.