Government launches public consultation on policy to protect ethical hackers

The government has announced a public consultation on a national policy aimed at protecting ethical hackers.

The proposed policy suggests that owners and managers of ICT systems implement a Coordinated Vulnerability Disclosure Program (CVDP). The government clarified that while most companies would be encouraged to voluntarily adopt a CVDP, essential entities would be mandated to do so under EU law.

Minister for the Economy, Enterprise and Strategic Projects, Silvio Schembri, said that this policy means that ethical hackers will have a clear framework where they can operate legally and transparently. This, he added, will not only contribute to better ICT systems, but also the legitimisation of the industry.

The CVDP document is open for submissions until 7th October.

Why is this policy needed?

In October 2022, Michael Debono, Giorgio Grigolo, Luke Bjorn Scerri, Luke Collins, and their lecturer Dr Mark Joseph Vella, were scanning through the software of the FreeHour app when they found a vulnerability where the user’s data could be leaked. The students say that the app could be exploited by malicious hackers.

After they found the vulnerability, the students sent an  e-mail to FreeHour to alert them.

After sending the e-mail, Mr Scerri, Mr Grigolo and Mr Debono were arrested from their homes and taken into custody where they were strip-searched and questioned. Mr Collins was questioned when he returned to Malta from England, where he was studying for his PhD.

The charges that they are facing were leaked on 30th August by Mark Camilleri, and they are set to appear before Magistrate Marse-Ann Farrugia next March.

In April of last year, BusinessNow.mt reached out to a qualified information security specialist who lamented Malta’s lack of safe harbour provisions – laws which protect ethical hackers and cater for the finding and reporting of cyber vulnerabilities.