Ethical hacking: BITS Ltd Managing Director calls for introduction of a ‘safe harbour’ framework

BITS Ltd Managing Director Ivan Bartolo on Wednesday urged authorities to introduce a “safe harbour” framework to protect researchers from legal action when they report a system vulnerability in good faith.

He was commenting following the news on Wednesday that four computer science students – Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins – were arrested, strip-searched, and had their machines confiscated by the police after informing student app FreeHour about a security flaw that left its users’ data unprotected. The students claimed that through the vulnerability, private data could have been leaked, yet instead they opted to email the company to inform them about it in October 2022. They gave the company a three-month deadline to fix the vulnerability should it not want the information to become public, and also requested a “bug bounty”.

However, the students are now under criminal investigation in a case that could see them imprisoned for up to four years and fined €23,293. On the other hand, FreeHour has since argued that it was legally obliged to report the incident to the Cyber Crime Unit within the Malta Police Force and the Information and Data Protection Commissioner under GDPR law.

“Our intent – and this is very genuine – was to cover us legally. We would be breaking the law if we did not report. Our intent was never to get these students in trouble or go after them,” FreeHour Founder and CEO Zach Ciappara said.

Mr Bartolo, who is also a National Party Member of Parliament, remarked that cybersecurity is “one of the hottest topics, and Malta has also experienced some high-profile cyber security incidents over the past months”.

“Ethical hackers, also known as white-hat security researchers, play a crucial role in the cybersecurity ecosystem,” he said.

He explained that “in contrast with bad actors and criminals who exploit vulnerabilities for malicious purposes, ethical hackers use their knowledge and skills to identify vulnerabilities in computer systems and networks with the sole goal of improving security”.

“If currently our laws are not flexible enough to make this distinction, we need to act now and introduce a ‘safe harbour’ framework which would provide protection from legal action when a researcher identifies a vulnerability and reports it in good faith to the responsible organisation,” Mr Bartolo outlined.

He said that security researchers have “always feared” that they could face legal repercussions just for being “good Samaritans”, yet he noted that they now know it is a “concrete reality”.

“Retaining top students in Malta is already a challenging task, and with the growing threat of cybersecurity incidents, it has become even more critical to cultivate a skilled workforce capable of safeguarding our digital infrastructure,” he remarked.

He concluded by saying: “It is imperative that we create a system that encourages and develops a talented pool of cybersecurity professionals who can effectively protect our digital assets.”

Mr Bartolo has over 25 years of experience in the ICT industry, and in 2000 he set up 6PM, an established IT and software solution group that employed over 150 technology consultants in Malta, England, Ireland, and North Macedonia. The company has since been acquired by Idox plc and is listed on the London Stock Exchange.