Ivan Bartolo / LinkedIn

BITS Ltd Managing Director Ivan Bartolo on Wednesday urged authorities to introduce a “safe harbour” framework to protect researchers from legal action when they report a system vulnerability in good faith.

He was commenting following the news on Wednesday that four computer science students – Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins – were arrested, strip-searched, and had their machines confiscated by the police after informing student app FreeHour about a security flaw that left its users’ data unprotected. The students claimed that through the vulnerability, private data could have been leaked, yet instead they opted to email the company to inform them about it in October 2022. They gave the company a three-month deadline to fix the vulnerability should it not want the information to become public, and also requested a “bug bounty”.

However, the students are now under criminal investigation in a case that could see them imprisoned for up to four years and fined €23,293. On the other hand, FreeHour has since argued that it was legally obliged to report the incident to the Cyber Crime Unit within the Malta Police Force and the Information and Data Protection Commissioner under GDPR law.

“Our intent – and this is very genuine – was to cover us legally. We would be breaking the law if we did not report. Our intent was never to get these students in trouble or go after them,” FreeHour Founder and CEO Zach Ciappara said.

Mr Bartolo, who is also a National Party Member of Parliament, remarked that cybersecurity is “one of the hottest topics, and Malta has also experienced some high-profile cyber security incidents over the past months”.

“Ethical hackers, also known as white-hat security researchers, play a crucial role in the cybersecurity ecosystem,” he said.

He explained that “in contrast with bad actors and criminals who exploit vulnerabilities for malicious purposes, ethical hackers use their knowledge and skills to identify vulnerabilities in computer systems and networks with the sole goal of improving security”.

“If currently our laws are not flexible enough to make this distinction, we need to act now and introduce a ‘safe harbour’ framework which would provide protection from legal action when a researcher identifies a vulnerability and reports it in good faith to the responsible organisation,” Mr Bartolo outlined.

He said that security researchers have “always feared” that they could face legal repercussions just for being “good Samaritans”, yet he noted that they now know it is a “concrete reality”.

“Retaining top students in Malta is already a challenging task, and with the growing threat of cybersecurity incidents, it has become even more critical to cultivate a skilled workforce capable of safeguarding our digital infrastructure,” he remarked.

He concluded by saying: “It is imperative that we create a system that encourages and develops a talented pool of cybersecurity professionals who can effectively protect our digital assets.”

Mr Bartolo has over 25 years of experience in the ICT industry, and in 2000 he set up 6PM, an established IT and software solution group that employed over 150 technology consultants in Malta, England, Ireland, and North Macedonia. The company has since been acquired by Idox plc and is listed on the London Stock Exchange.

Featured Image:

BITS Ltd Managing Director Ivan Bartolo / LinkedIn

ClearFlowPlus green bond issue ‘marks the beginning of an exciting phase,’ says Chairman

25 April 2024
by Fabrizio Tabone

While the Water Services Corporation subsidiary reported a decrease in pre-tax profit, Vincent Micallef still says 2023 was a ‘milestone’ ...

‘After 19 years, I went back to where it all began’: MaritimeMT CEO Pauline Micallef visits former school

25 April 2024
by Anthea Cachia

During her visit, she shared the various opportunities for women within the maritime industry.

LinkedIn CEO calls for change in how jobs are perceived – not as titles, but sets of tasks

24 April 2024
by Fabrizio Tabone

Ryan Roslansky remarks that while in the past individuals would build their careers for stability, nowadays it is more of ...

CEO states that RS2 Group’s performance is expected to improve with a ‘stronger pipeline’ in 2024

24 April 2024
by Fabrizio Tabone

During 2023, RS2 Group registered €1.4 million in pre-tax profit, 19.1% less than in 2022.

Close Bitnami banner
Bitnami