University of Malta students and lecturer charged for reporting security flaws in FreeHour app

Three University of Malta computer science students and their lecturer are being charged after uncovering and reporting security flaws in Malta’s largest student app FreeHour, in October of 2022.

The students, Michael Debono, Giorgio Grigolo, and Luke Bjorn Scerri, informed FreeHour with an email, about the vulnerabilities in their app, requesting a typical “bug bounty.” Instead of being rewarded, they were arrested, strip-searched, and had their equipment confiscated.

They are accused of unauthorised access, data modification, and obstruction. Their lecturer, Mark Joseph Vella, who tutored and guided them in the process, is charged as an accomplice.

The trial is set for March 2025, where all four of them will appear before Magistrate Marse-Ann Farrugia.

The charges were leaked earlier today 30th August by Mark Camiller. A few moments later, Michael Debono reposted on his social media the original email that was sent to FreeHour, in the hopes that people will stop saying that the students requested money. “I’m genuinely exhausted from this whole situation”, he said, and added that the incident “should have been resolved over a table in a day with FreeHour and the police.”

“We never imagined that a well-meaning gesture like this could escalate to such a level” wrote Luke Bjorn Scerri in the Q&A section of his website regarding the case.

The outcome of this trial could set a precedent for how ethical hackers are treated in Malta, with significant implications for the tech community at large.