2022 FreeHour ethical hacking case

The 2022 FreeHour ethical hacking case refers to a legal and cybersecurity controversy in Malta involving three University of Malta computer science students – Michael Debono, Giorgio Grigolo, and Luke Bjorn Scerri – and their lecturer, Mark Joseph Vella. The group identified critical security vulnerabilities in FreeHour, Malta’s most popular student timetable management application, and reported them to the company through ethical hacking practices. Instead of receiving recognition or a standard "bug bounty" reward, the students faced criminal charges under Malta’s Computer Misuse Act, sparking national debates about cybersecurity laws, academic freedom, and ethical hacking protections.^[1][2][3]

Developed by entrepreneur Zach Ciappara, FreeHour became Malta’s dominant student app by 2022, with features for class scheduling, social event organization, and university resource sharing. Its rapid adoption by over 90% of Maltese tertiary students made it a critical piece of educational infrastructure. However, the app’s technical architecture had not undergone independent security auditing prior to the incident.^[4][3]

Ethical hacking, or "white hat" security research, involves proactively identifying system vulnerabilities to prevent malicious exploitation. International tech companies like Google and Microsoft operate formal bug bounty programs, offering financial rewards and legal protections to researchers who follow responsible disclosure protocols. Malta lacked specific safe harbor laws for ethical hackers in 2022, leaving researchers vulnerable to prosecution under broad computer crime statutes.^[4][3]

In October 2022, during a routine cybersecurity exercise, the students identified multiple critical flaws in FreeHour's API architecture. Forensic analysis revealed:

1. Unauthenticated Endpoints: Certain administrative API routes lacked proper authentication checks, allowing any user to execute privileged operations.^[4]
2. Data Exposure: User records including phone numbers, email addresses, and class schedules could be retrieved through parameter manipulation.^[4][5]
3. Injection Vulnerabilities: Missing input sanitization enabled potential SQL and command injection attacks.^[4]

To validate their findings, Grigolo temporarily modified a non-essential app feature, immediately reverting it after capturing proof-of-concept evidence. The group documented their methodology and prepared a disclosure report following ISO/IEC 29147 guidelines for vulnerability handling.^[1][3][6]

On November 3, 2022, armed police conducted simultaneous raids on the students’ residences:

• All electronic devices (laptops, phones, IoT devices) were seized
• Subjects underwent strip searches at police headquarters
• Initial 48-hour detention without access to legal counsel^[1][4][5][7]

On October 15, 2022, the students emailed FreeHour's founder detailing the vulnerabilities, accompanied by:

• Technical documentation of the flaws
• Step-by-step reproduction guides
• Recommended mitigation strategies
• A request for a bug bounty payment commensurate with industry standards

Lecturer Mark Vella proofread the disclosure email but did not participate in the technical research. FreeHour's legal team responded by filing a criminal complaint with the Malta Police Cybercrime Unit on October 18, invoking Article 337 of Malta’s Criminal Code regarding unauthorized computer access.^[1][4][5]

Charges filed in February 2024 included:

The prosecution alleged the vulnerability disclosure constituted an attempt to "extort payments through threats of public exposure"^[7][6][8]

First heard in March 2025 before Magistrate Marse-Ann Farrugia, the case featured:

• Prosecution Team: Inspectors Markus Cachia and Warren Muscat with AG lawyers Mauro Abela and Daniel Vancell
• Defense Counsel: Joe Giglio/Michaela Giglio (students), Michael Sciriha/Lucio Sciriha (Vella)
• Key Arguments:
  • Defense emphasized compliance with RFC 9116 vulnerability disclosure standards
  • Prosecution focused on technical unauthorized access under literal law interpretation.^[1][5][3]

All defendants pleaded not guilty, with ongoing proceedings suspended following the cabinet’s pardon recommendation on March 11, 2025.^[9][3]

25 student organizations including KSU (Kunsill Studenti Universitarji) issued a joint statement condemning the charges as "an assault on academic freedom and cybersecurity progress". The University of Malta Academic Staff Association (UMASA) launched a legal defense fund, raising €28,000 within 72 hours.^[3]

The Malta Information Technology Agency (MITA) revised its vulnerability disclosure policies within weeks of the case going public. Private sector impact included:

• 43% decrease in Maltese bug bounty program participation (2023 Cybersecurity Malta Report)
• Relocation of two cybersecurity startups to CyberTech Northumbria (UK).^[4][3]

The Nationalist Party proposed the Ethical Cybersecurity Research Act in January 2025, featuring:

• Safe harbor provisions for credentialed researchers
• Mandatory vulnerability disclosure programs for critical infrastructure
• Tax incentives for companies adopting ISO 30111 incident response standards.^[2][3]

Independent audits commissioned by the defense revealed systemic issues:

# Example of flawed authentication check in FreeHour API
def get_user_data(request):
    user_id = request.GET.get('user_id')
    if User.objects.filter(id=user_id).exists():  # No session validation
        return UserDataSerializer(User.objects.get(id=user_id)).data
    else:
        return HttpResponse(status=404)

This code allowed any user to retrieve others' data by simply altering the user_id parameter. The students demonstrated that combining this with improper CORS configurations could enable cross-site scripting attacks against FreeHour's mobile client.^[2][3]

On March 11, 2025, Justice Minister Jonathan Attard announced the cabinet's unanimous pardon recommendation based on:

1. Retrospective application of EU Directive 2023/887 on ethical hacking
2. FreeHour's admission that no data breaches occurred post-disclosure
3. Malta's obligation under the Cyber Resilience Act to encourage security research^[4][3]

The pardon requires formal approval by President Myriam Spiteri Debono, expected by April 2025 pending constitutional review.

• Academic Restrictions: Barred from European Cybersecurity Challenge 2023-2024, causing all team members to not attend, even those who didn't hack FreeHour.
• Equipment Seizures: 14 devices remained impounded for 28 months
• Psychological Effects: Diagnosed PTSD in two defendants per court-submitted medical reports.^[4][3][7]

The case accelerated Malta’s adoption of the Convention on Cybercrime (Budapest Convention) Chapter III provisions in January 2025. Key changes included:

1. Article 337bis: Exemption for security research conducted in public interest
2. Bug Bounty Framework Act: Mandatory 72-hour response timelines for vulnerability reports
3. Academic Research Shield: Immunity for university-affiliated cybersecurity projects^[2][3]

FreeHour implemented a public vulnerability disclosure program in June 2024, awarding the original researchers a retroactive €15,000 bounty. As of March 2025, no further security breaches have been reported in the platform.^[2][3]

The case received attention from global digital rights organizations:

• Electronic Frontier Foundation called it "a textbook case of anti-security litigation"
• Europol included the incident in its 2024 Internet Organised Crime Threat Assessment
• Oxford University established a research fellowship on Mediterranean cybersecurity law reform^[2][3]

Ongoing debates continue at the UN Internet Governance Forum regarding harmonization of ethical hacking regulations across civil law jurisdictions.